Archive for October, 2005

Uncategorized

Beyond Java (or, Does This API Make Me Look Fat?)

I recently finished Bruce Tate’s Beyond Java, a book every Java programmer should read. Especially those who havent worked much with other languages. I should say right now that I probably feel this way because it validates much of what I’ve been arguing from years, from the perspective of someone deep inside the Java world.

Recent comments here should make it clear that Java and I aren’t exactly on speaking terms. It isn’t so much the language as all the deadwood that’s built up around it. A coworker and I recently spent a day reorganizing a legacy codebase so we could use Eclipse as an actual IDE instead of just a big, slow text editor. About half the day was spent figuring out the XDoclet used to build the app. And it dawned on me: we’re using XDoclet to generate all this code that doesn’t contribute meaningfully to the application, but rather is required scaffolding to maintain the EJB framework. Code generation has its point, but when you have to then maintain that code … ugh. I’m watching my team struggle to produce web apps in a timely fashion, held back not by the difficulty of business problems, but by the bulk and complexity of J2EE programming. We spend more time in care and feeding of the framework than we do writing application code. That just doesn’t seem right.

Bruce Tate makes a convincing argument that Java is at a point where it can either rally its forces and continue on with renewed vigor, or be overtaken by a new contender(s) with programming models that support more rapid development and match business and programming needs more closely. He doesn’t seem all that hopeful for Java.

Tate is almost reluctant in this. Java has been good to him. A best-selling author with a successful consultancy, he is very much at home in the Java world. So to give Java its fair due, he walks us through its history, identifying the roots of its early success: wooing C and C++ programmers to a better programming experience. But now, he argues, Java is moving away from its base, expanding in strange and poorly planned directions (e.g. generics — perhaps useful, but poorly implemented), growing an ever-larger stack of technologies necessary to even function as a Java programmer. Java is effective for system or middleware programming, but failing as a language for writing applications. Other languages — Python, Ruby — are gaining popularity because they let programmers do their jobs faster, better, writing less code to do more.

He points out what still surprises many programmers: while we discover that dynamic typing is quite effective and not that dangerous, the changes made to Java only reinforce static typing (e.g. generics). I, for one, am tired of spending my time worrying about such details that do not demonstrably contribute to the effectiveness, correctness, or functionality of my apps. Static typing ain’t it.

To supplement his own arguments, Tate includes interviews with Java luminaries who are moving away from the platform or who at least take serious issue with some of the sacred cows of the Java world. I was particularly tickled by the inclusion of James Duncan Davidson, who brought us both Tomcat and Ant — and no longer works with Java. Steve Yegge’s explanation of how he took months off from development to figure out what was slowing him down, to discover that it was Java itself.

(Elsewhere, David Geary of JSF fame identifes several Java “connectors and mavens” who have adopted Rails. Worth noting by those who would dismiss the hype.)

The concluding chapters explore what Tate thinks might characterize languages that steal Java’s thunder, paying close attention to Ruby, Ruby on Rails, and continuation servers like Seaside (which I’d never heard of but which intrigue me). He dismisses Perl and PHP for what I agree to be mostly valid reasons, though I think he’s a bit harsh on PHP and has misconceptions about best practices in PHP programming models.

I devoured this book and immediately reread it. I am serious: if you are a Java programmer, you should read it. Obviously Java will not disappear from the landscape anytime soon, but I believe that it’s important to understand its limitations and frustrations, and why other languages are starting to eat away at its foundation. Otherwise you’re likely to end up like one of the cranky COBOL programmers, wondering what all the fuss is about this upstart 10-year-old. :)

Uncategorized

Ruby, after all

That didn’t take long. Just a few days after I decided to learn Python before Ruby, I changed my mind and went with Ruby. Garrick told me that a Ruby user group was starting up in town, and that happy news pushed me over the edge. I’ve spent odd moments and bus rides in the past week reading the PickAxe book, and my gut feeling was right: Ruby feels right to me, like meeting an old friend, like coming home. I’m excited to dig into it with gusto, and anxious to try Ruby on Rails.

Rails is easy enough to set up, but the usual way of doing so is to use RubyGems — which doesn’t work right on my iBook running Jaguar (OS X 10.2). No, compiling a new ruby hasn’t helped, though the problem does seem to be at the ruby core level. The obvious choices are either to get Tiger (OS X 10.4), which I’ve been putting off until I buy a new laptop, or to install Rails by hand. I’m not sure right now which way I’ll go.

To celebrate my introduction to Ruby, on Wednesday night I went to the inaugural meeting of the Twin Cities Ruby user group (still working on a name. People were enthused about “MSP Ruby Brigade”). The organizers expected maybe a half-dozen people. Three times that showed up. Not bad for last-minute word-of-mouth! Easily half the people in attendance work with Java in their day job; most of us are less than thrilled about it. At least two there contribute to JRuby, working to get a ruby interpreter in the JVM. A really sharp group of people. I walked away from the meeting even more excited about Ruby than when I arrived.

What about Python? I’ll get back to it. I still do want to try Django, and the few days that I spent with Python whetted my appetite. I’m just more excited about Ruby right now.

Security

Web App Security Assessment with LiveHTTPHeaders

Shreeraj Shah has just published Assessing Web App Security with Mozilla over on ONLamp.com. It’s really more about introducing LiveHTTPHeaders than the guts of a security assessment, but it does point the way. Not unlike the talk I gave at this spring’s MnSCU IT conference (handouts). I like LiveHTTPHeaders for just this purpose, I use it all the time. (In fact, I used it just yesterday when reviewing PHPSurveyor, an app that has its share of problems.) More and more, though, I find that I’m using Fiddler, at least when I’m on a Windows box and don’t have to deal with HTTPS. Fiddler offers a lot of detail that I find useful.

Still, I do fire up LiveHTTPHeaders when I just need a quick overview of what’s happening and want to manipulate requests. I also use it to introduce developers to HTTP. Too often I find that developers don’t have a solid understanding of HTTP basics, which has a direct impact on their ability to write secure web applications.

LiveHTTPHeaders is a fine tool, and Shreeraj Shah’s article is a good introduction. If you’ve never used it, a few minutes reading that will get you started and point you in the right direction. And maybe give you a little insight into the sorts of things an attacker can do quite easily.

Uncategorized

Python, then Ruby

I’ve taken up Python again. I quickly taught myself Python a few years ago, learning just enough to become enamored with the language before neglect drove it from my brain. I love its brevity, its elegance. I once fooled myself into thinking that Jython would be handy, offering the complete Java API through Python, but right now Java and I aren’t getting along, so that’s not too interesting anymore. So what brings me back to Python? Django and TurboGears, two Python web frameworks that stand to make me more productive with less code. Even if it’s just for fun and I never get the chance to use this stuff at work, I don’t care. I want to hack again.

What about Ruby on Rails? Don’t worry, that’s coming. I like what I see in Ruby — a lot — and it’s just become too hard to ignore Rails. I tried for a while, mostly because the hype factor turned me off, but a closer look at Ruby and a better understanding of what Rails is all about helped me get over that particular prejudice. RubyRails certainly reflects some worthwhile ideas, and I just can’t argue with the productivity it offers.

I wrestled with deciding whether to take up Ruby before Python, but opted for Python because I was afraid that if I started with Ruby it would be months before I returned to Python. My gut is telling me that I’m going to be much more at home in Ruby. Since part of why I’m learning these languages is to expose myself to different ways of thinking, I decided first to learn Python and see how that takes.

Still, Ruby beckons. I figure I’ll pick up the Pickaxe in a couple weeks.

Personal

I Am Not a Runner

I used to be a runner. I started when I was nine years old, and kept at it diligently almost all the way through high school. I can’t imagine that now: how many fourth graders do you know who take up long distance running for fun? By high school I’d developed an unfortunate habit of running at night, through areas that weren’t very well lit: wooded, hilly trails around the lake. (Or maybe it wasn’t so unfortunate, since it meant that I often got to stop by my friend Faye’s house for some late-night lasagna. :) One night, though, I stepped in a hole — that happens sometimes when you can’t see the ground in front of you — and hurt my ankle badly enough to keep me out of running for about six weeks. By the time I was physically able to run again, I discovered that I was no longer interested. It just didn’t do it for me anymore: I was no longer a runner at heart. So I stopped.

Two weeks ago, overweight and out of shape, I started to think about running again. I’d take it slow, ramp up to some more serious effort when the coming winter fades. I had just decided to go buy a pair of shoes when I sprained my ankle. Okay, maybe I shouldn’t start running quite yet. After a couple weeks my ankle starts to heal, I finally start walking on it comfortably again, maybe start thinking about looking at those shoes soon — knowing full well that it will be a few weeks before the ankle is strong enough to run on — and bam! The ankle goes out again. It seems that Something is telling me that I should have taken the hint in high school: I Am Not a Runner.

I was all ready to except the cosmic omen explanation, but then today it happened again, this time about as bad as the sprain two weeks ago. At no time today or yesterday did I give any serious consideration to buying shoes. So that’s probably not it. On the other hand, this time I did call a doctor. Appointment’s later this morning. Hopefully I can make it there. :)