Archive for the 'RIA' Category

Conferences, JavaScript, RIA, Security

Conference sessions are over. Now I can read again.

When last I wrote, I was busy working on a few talks. They went reasonably well.

MinneWebCon was a lot of fun, an engaging, upbeat conference. There were almost 250 attendees, about two-thirds of which were from the University of Minnesota, which put on the conference. Eric Meyer delivered a keynote in which he discussed craftsmanship in the web professional. How very relevant. Amy Kristin Sanders’s midday keynote offered useful insights about internet law that I cannot do justice to. In Mark Heiman’s enchantingly engaging talk about the search for a social networking tool for Carleton College alumni, I learned about Elgg, an open source social networking platform that looks pretty damn good. I’ll have to take a closer look.

The smartest bit of scheduling was to put unconference sessions immediately after lunch. Rather than nodding off on a full stomach, we got engaged in animated discussion, keeping energy high for the afternoon. Brilliant. The social networking session largely highlighted Twitter, which fit in well with the active back-channel Twitter chatter going on. Tony Thomas wrote a little about that.

My own presentation on JavaScript went almost as well as I hoped, although I ended up not being able to touch on Ajax except immediately afterward in a quick response to a question as I was unplugging from the projector. My emphasis was on taking functional pages and layering helpful behaviors onto them with unobtrusive JavaScript. Video will be available at some point, and I’ll be making my presentation notes available here (and there) soon.

And by the way: in case you didn’t know, jQuery is fantastic.

Many thanks to the MinnWebCon organizers for putting on a great conference and for allowing me to participate. I’m looking forward to next year.

Unfortunately, I was having so much fun preparing for my MinneWebCon talk that I gave short shrift to prepping for the two presentations I had scheduled at the MnSCU IT conference this past week. Thankfully I deliberately chose topics on which I could speak extemporaneously if need be. They turned out okay, but (as always) not as good as I had hoped. My first session explored the limits we’re bumping into with Ajax, especially user interface challenges, nontrivial client-server data communication problems, and the fallacies of distributed computing — setting the stage for the emergence of rich internet application technologies like Flex, AIR, and Silverlight. None of these technologies actually solve the problems, except making it easier to create better-looking UIs, but they should be watched closely. Hell, I’d use Flex in a heartbeat for certain things like, oh, an ERP.

I also spent a few minutes pointing toward all the activity going on around programming languages, concurrency, and flexible approaches to databases (non-relational, sharding, etc.), all related to rising expectations of what software should be able to do and how quickly we should be able to create said software. I talk about this stuff all the time, but hardly anyone seems to believe me. I hope that I at least planted a seed or two that will bear fruit in future discussion, and was heartened upon my return from the conference to see Tim Bray take it up:

Near as I can tell, we’re simultaneously at inflection points in programming languages and databases and network programming and processor architectures and Web development and IT business models and desktop environments. Did I miss anything? What’s bigger news is that we might be inflection-point mode pretty steadily for the next few years.

I don’t know whether I’ll put together notes. I suppose I ought to.

I was a little worried about the session on software security principles, since I had completely changed course on what I wanted to do the night before, but it turned out to go quite well. I wanted to start a discussion, examining common software development scenarios where I often find vulnerabilities, letting the group identify security principles that should guide development. WIth the help of a few security-minded individuals and a lot of people not afraid to put themselves out there even when they weren’t sure of themselves, we did just that. It was a good, active conversation. I was a concerned that one guy who brought up a quite valid point — that by moving our ERP from Win32 client-server to a web application, we’ve increased exposure and risk — was discouraged by the response. I talked with him today, though, and found that he wasn’t at all discouraged and that he had learned what I wanted people to learn:

  • the threat is no longer amateur;
  • software is rarely designed with security in mind, and that’s where the attacks are taking place;
  • there are core principles that should help guide software design and development, such as not trusting input, using least privilege, and so on.

For people like him for whom this is all new, next time I will prepare handouts. If you’re looking for a preview or something to use now, I suggest you start with the excellent resources from the Microsoft patterns and practices group, including Guidance Share. It is not all Microsoft-specific, and there are some real treasures. For a quick run-down of security principles, see this blog entry by J.D. Meier, which lays them out nicely against Microsoft’s security frame.

To my mind, the highlight of the conference was Mike Janke‘s whirlwind tour of the MnSCU network and data centers. We really need to see more of that. Watching his presentation leaves no question of the scale and complexity of the problems of doing IT for an organization the size of ours, and the tremendous job that Mike and his team have done.

The real conference is of course not the sessions but the connections made with people there. Many good conversations were had, but I still didn’t connect with everyone I had hoped to. Folks, you know who you are. Let’s not wait until next year, okay?

Whew! My conference season is pretty much over, so excuse me while I go tackle that growing stack of books.

JavaScript, RIA, Security

Upcoming Talks

I’m busy preparing for three talks that I’ll be giving in April.

The first will be at MinneWebCon, a web conference at the University of Minnesota.This is their first time putting on this conference, and even were I not speaking at it I would probably attend. The sessions on user experience, social networking, and online video look interesting, and I read today that there will be unconference sessions, too. My talk will be an introduction to JavaScript. The MinneWebCon organizers don’t expect the audience to be hardcore developers — a glance at the sessions makes that clear — so I’m keeping it basic but still trying to make it useful and get across important ideas. I always try to stress a few concepts whenever I talk about JavaScript:

  • The importance of unobtrusive JavaScript — playing nicely with web standards and writing JavaScript that injects itself into a page to layer on behavior.
  • JavaScript is not a toy language. It’s frequently dismissed as a cute little trinket, but its importance in web apps nowadays argues that although it has its warts, it has a certain quiet strength. I deal with a lot of Java developers who eschew JavaScript as “nothing like Java” but who then make the mistake of writing JavaScript code as if it were Java Lite. JavaScript is not a less powerful Java: it is best used on its own terms.
  • Security. JavaScript is so ubiquitous and it is so easy to make security mistakes, I would be remiss not to discuss security. Especially since I’ll be bringing in a little Ajax.

We’ll be looking at JavaScript from the perspective of introducing basic enhancements to page behavior, illustrating those three concepts along the way. In an hour can’t get too deeply into JavaScript syntax, especially for non-programmers, but I will be showing how to leverage libraries, especially jQuery.

The next two sessions will be at the annual IT conference for Minnesota State Colleges and Universities. (There’s not a good link right now, sigh.) This is a gathering of IT staff from our colleges across the state, staff development, networking, and so on.

The first session is on software security principles. In the years that I’ve been working with developers on software security — coaching, training, giving talks at conferences like this — I’ve focused a lot on common flaws and vulnerabilities: how to test for them, how to prevent them through early design analysis and development techniques. It’s become clear, though, that there’s something fundamental missing. Understanding of vulnerabilities and their exploits is incomplete unless a developer also understands basic principles of software security. Until a developer — or architect, or project manager — has a foundation in the core principles that guide secure software development, they are likely to make the same sorts of mistakes that lead to security problems, even if specific vulnerabilities are planned for.

Basically, I don’t want to keep finding myself in arguments about whether or not it’s worth doing input validation. So I’ll cover principles like “input is evil,” least privilege, defense in depth, secure failure, that sort of thing. Since an hour of theoretical mumbo-jumbo isn’t likely to do anything except put people to sleep, I’ll be sure to explore how these principles play out in the software development process, and how common vulnerabilities such as the OWASP Top Ten can be addressed by keeping the principles in mind.

Yeah, I get a little ambitious.

My second session at the MnSCU IT conference is called “Beyond Ajax.” When I first conceived of the talk, it was more along the lines of “Why Your Software Sucks.” (I had an angry few months, what can I say?) It then morphed into an exploration of rich internet application technologies starting to rise to the fore: Flex, AIR, Silverlight, even JavaFX. Then, thinking about the two sessions that I’ve outlined above, I realized that I didn’t have enough time to learn Flex and Silverlight well enough to do a kick-ass presentation. Besides, for an audience that for the most part is maybe just now getting into Ajax development, I need to develop more background of what’s driving the adoption of non-Ajax RIAs.

So instead, the talk will be about why creating a well-designed Ajax app has proven difficult or unsatisfying:

  • We’re still stuck with the limitations of browser user interfaces.
  • Writing cross-browser code is still hard.
  • Creating compelling cross-browser UIs is even harder.
  • Many developers don’t understand JavaScript like they should.
  • Security has grown more complex.
  • Ajax accessibility is still largely unknown and misunderstood.
  • Although the client-side part of an app can now do more (and be more complex!), without a lot of work application workflows have not changed much and are still hampered by HTTP.
  • Architecture of data flow between client and server is a significant challenge, often falling victim to the fallacies of distributed computing and resulting in a degraded user experience.
  • There is a strong inclination to use Ajax to create non-browserlike experiences, often to the detriment of the user.

I don’t know yet whether I’ll bring mobile devices into the picture.

Into this setting come Flex, AIR, Silverlight, and so on. I can’t get too deeply into them, much as I’d like to. Still, the focus of the talk is on rich internet apps — mostly why, not so much how. Look for that next year. :)

I also hope to spend a few minutes (lightning talk style?) discussing parallel industry trends that will have impact on in RIA development in the near future: cloud computing, approaches to concurrency, non-relational data stores, and a panoply of new languages and platforms to address these concerns. This is all stuff that’s been rolling around in my head for the last year or two, and I’m tempted by a bit of self-indulgent examination of how it’s all connected.

Like I said: I get a little ambitious. That last bit is likely to get cut as not contributing to the core message.

So if you don’t hear from me for the next month or so, know that I am busy. But I am having fun.

Books, Open Source, RIA

More on RIAs and a Silverlight book

With all my talk about Flex and AIR the other day, I’m surprised no one pinged me — hard — about other RIA options. Like OpenLaszlo, Silverlight, or even JavaFX.

Admittedly, I am curious about OpenLaszlo, especially since they started compiling both to Ajax and Flash. But I’ve never given them a fair shake. I’m not sure why, except a sneaking suspicion that they wouldn’t be around for long. That hasn’t proven to be the case thus, although we haven’t yet seen the shake-out from the open-sourcing of the Flex SDK yet. But again, that could just be me being unfair.

I’m waiting to see what happens with JavaFX. The client-side Java experience has been improving in recent years, and I expect JavaFX to help quite a bit. Once I sort out just what the hell it is. :) There’s a lot that fits under the JavaFX umbrella. I think the consumer JRE will quietly make people’s Java experience better, and I do have high hopes for JavaFX Script making client GUI development easier. But they’re nervous high hopes, like it won’t take long for the bottom to fall out.

cover of Silverlight bookSilverlight… Again, haven’t given a fair shake because I don’t develop in a Microsoft environment. The runtime may eventually become ubiquitous on Windows, but … well, I’ll just wait this one out and see. It’s like Mono: I’d like to look closer at it but just plain don’t have the time and am not motivated to make the time right now.

That said, I have every intention of reading a new e-book on Silverlight 1.1. O’Reilly’s “short cut” on LINQ was a great introduction, giving me a good feel for what can be done with LINQ. I hope the Silverlight book do be the same.

Java, Open Source, Programming, RIA

AIR Camp

Some years ago, right about the same time that I started to move into Java, it became clear that Macromedia was trying more aggressively to woo Java developers. ColdFusion was rewritten in Java, so it’s now an app running inside a servlet container / app server, allowing ColdFusion developers to tap into the rest of the Java platform. With the introduction of Flash remoting, they positioned Flash more clearly as a development platform for rich internet applications. They released Flex, making Flash RIA development a hell of a lot easier for programmers unfamiliar with or intimidated by a Flash toolset aimed squarely at visual designers. No more confusing timelines! Just sweet, sweet XML. ;-)

Pretty sure JRun is dead, though. No complaints here.

Since the acquisition of Macromedia, Adobe has been keeping up the pace, with new releases of ColdFusion and Flex. And now AIR, which I’ll get to in a bit.

I don’t know how successful the ColdFusion rewrite has been in getting Java developers to start using it. I’m not suggesting that my personal experience is any guide, but I know more CF developers who have been introduced to Java and to object-oriented programming in the last few years than I know Java developers who have discovered ColdFusion. I did give it honest consideration at work a few years back but was turned off by its being an expensive, closed-source platform. Remember, my background is largely in the open source world.

Because of that background and bias, I was more than a little bit pleased to see Adobe open source the Flex SDK. As I wrote at the time, Flex’s being open source meant that I would consider recommending it to my employer. This is still true.

My employer is in the process of rewriting their ERP from a Win32 client-server desktop app to a Java EE web application. A decidedly nontrivial undertaking, especially considering that the developers have little background or understanding of web apps. This lack of experience and skills makes it difficult to create a compelling HTML/CSS/JavaScript replacement for a desktop app. Browser environments are limiting. It is possible to bend HTML to your will, and well-implemented Ajax helps, but to make it, well, not suck requires skill. To make it really kick ass requires serious skill. If you’re lucky and well-funded, you can hire enough people with that skill to pull it off. If you’re a state agency… well, good luck.

I remain hopeful, though. I just set my standards absurdly high.

I should insert a disclaimer here. I am by no means speaking for my employer. I’m just exploring the type of situation when I think a Flash-based RIA would make sense.

It is no accident that Adobe has been pushing Flash for RIAs. Flash apps look cool. They can suck, too, sure. But with a toolset like Flex, creating something that at least looks and acts more than halfway decent is a hell of a lot easier than creating an equivalent UI with HTML/CSS/JavaScript.

I’m not trying to sell Flex as a panacea. I know enough not to believe that a technology will solve development woes. But I have played around with Flex enough that if I’m writing a network-aware back-office app, one that’s likely to do well as an RIA, I’m very likely to use Flex because it will be easier to create better UIs. (Insert warnings about forking the web here. Except that I’m talking about RIAs here, not crappy Ajax apps.

Enter AIR.

AIR is something new from Adobe — the second beta is being announced at this week’s Adobe MAX — for creating Flash-based desktop applications. As desktop apps, they have access to operating system resources that browser-based apps don’t. The AIR installer is damn easy to work with. But the magic behind the acronym (Adobe Integrated Runtime) is that you can build the app with either HTML / JavaScript or Flash / Flex. Your JavaScript code can use ActionScript APIs to access the desktop goodness or Flash components on the page, and vice versa.

Color me impressed.

So when I saw that Adobe was going on a cross-country bus tour this summer to evangelize AIR, I signed right up to learn more. Last week the on AIR bus tour came to Minneapolis. The venue was a great choice: the old Varsity theater in Dinkytown, which I honestly didn’t think was still used as often as it appears to be. Comfortable seating. Catering by the Loring. Toss in an open bar, and we were prepped for one of the finest vendor events I’ve attended.

Since I’ve been watching video from the tour all summer, there weren’t a whole lot of tutorial surprises awaiting me. But it was about what you’d expect: Mike Chambers walked through building an AIR app with Flex, Kevn Hoyt showing us an app built with HTML & JavaScript. Show a bit more whiz-bang techie goodness for the next couple hours, and we all leave happy, planning blog entries like this one.

Actually, I planned a better blog entry than this one, but I want more of a chance to play with both Flex and AIR before I write that.

I mentioned earlier that I don’t know any Java developers who have been drawn into the ColdFusion world. Likewise, I don’t know many Java developers who have been doing anything with Flex. It could just be that I don’t hang out with enough Java developers. It seems, though, that the scope is expanding, and Adobe’s setting their sights a bit wider than Java. Good news all around.