Rich Internet Applications (RIA)

We are happy to announce the second RIA forum which will take place in Darmstadt (close to Frankfurt), 23rd of April 2010! This time, with Canoo Engineering AG as premium sponsor, four well known speakers will talk about the advantages and disadvantages of four different ways to create effective user interfaces (especially in business contexts).

Instead of giving details here I recommend to visit the forum page directly: http://www.riaforum.com (in German). Please be aware that we can only provide entrance to a limited audience, so if you want to join, make sure you sign up quickly.

Session title: Agile and Secure; Can we do Both?
Speakers: Jason Li & Jerry Hoff, Aspect Security

 Goal: To try to get developers to think about security early on in the development process.

Jason begins with a brief description of a common security flaw (in AJAX apps at least) XSS, which typically involves replacing regular text with a malicious piece of JavaScript. Example attack: The JS steals the end-user’s cookie by querying the DOM. A cross-site request forgery might subsequently be mounted by using the stolen cookie from within a new application context such as mail in order to delete all the users mail.

Another example – SQL injection – is when part of a SQL statement is replaced with a semi-colon followed by another statement e.g. DROP TABLE… which is obviously bad news.

With that whirlwind tour of web security… how to fix the process which results in such errors?

Speakers refer to the waterfall and explain how in each of the chunky phases activities include (or should include) security; security requirements, security design etc…

Speakers then argue that embellishing the highly iterative agile process in the same way as was done for waterfall is not practical. Blogger agrees… the granularity of the activities is too fine to permit the kinds of security analyses which are required. So what’s the solution?

They recommend…

Leveraging user stories

Prerequisite step: Ensure that all developers have received adequate security training

Another prerequisite step: Get management to fund this (gets a laugh!)
Alternatively: The OWASP Open Web Application Security Project is an organization providing resources which provides heaps of information on attacks points and solutions for these.

Leverage unit testing… and include security tests in the unit tests. This is obviously particularly effective in a continuous integration environment.

To speed up this process, use common security components such as those at Open Enterprise Security. Organizationally, this needs to be communicated across the development team(s).

Leverage and consolidate sprints… and ensure that all security stories are included in each sprint. For dealing with security stories which don’t fit into any particular sprint, run sprints that are focussed solely on security.

Great line (paraphrased): Web apps are a kind of “perfect storm” comprising a complex mixture of technologies, which results both in a large attack surface area as well as numerous subtle edge cases which make us more vulnerable.

Couldn’t agree more!!!

I found this talk excellent both stylistically and, more importantly, in terms of content. There are still voices out there which claim that agile in some way incompatible with quality. Talks like this should go some way to quell those remaining voices. Although the pair used AJAX’s inherent security vulnerabilities to highlight the necessity for a systematic approach to security in agile environments, much of what they recommend applies to any agile environment, whether it is creating AJAX applications or not.

Session title: A complete Tour of JSF 2.0
Speakers: Ed Burns – Sun Microsystems, Inc
Martin Marinschek – IRIAN Solutions

My interest in this talk is simple to explain: I used JSF in a really cool project last year, and found it cable but wanting in a number of respects. Lets see if the problems have been addressed…

The speakers begin with quite a few words about how the JSR was the result of a community effort. Then note that JSF 2.0 doubles the scope and integrates Facelets.
 

And the new features are…

1. Composite components. To a large extent the philosophy is the same as for rails with pay as you go complexity. Goal was to enable true abstractions. Makes heavy use of naming conventions to reduce verbosity. Composite components builds on top of resources and facelets. Nice to know: Mojarra supports Groovy.
2. AJAX support inspired by RichFaces, IceFaces, DynamicFaces, ADF Faces. Enables AJAX elements to be specified decleratively or programmatically.
3. Partial state saving. Biggest problem for performance to-date was the size of the state. Everything was a state and every request was a post. Pre-view state size is now 25% less than prior to 2.0.
4. View parameters. Inspired by Page Parameters from Jboss Seam. Provides a way to map requests parameters to special components within the view. Reduces the need to redeclare all the params across all the pages in the app. I had this problem in the aforementioned app and am glad to hear this issue has been addressed!!!
5. System Events. Inspired by Dtrace, influenced by JSFTemplating. This is a publish/subscribe event bus for the JSF app. A suite of events is provided. The list may be extended.
6. Resources mechanism is now standardised. Separate Filter or Servlet is now no longer necessary. Resources are now logically related to components. Full “library” support (whatever that means), I18N, versioning,
7. Behaviours enabled you to attach a behaviour to a component in a way which I didn’t quite understand.
8. Navigation enables pages to be bookmarked. Uses the View Parameters feature to ensure params are validated before rendering the page. Implicit Navigation enables pages to be bookmarked.
9. Exception Handler enables a single point of failure handling to be defined for a given app.
10. Validation is integrated with JSR303 Bean Validation
11. New Scopes have been defined: “conversation” (enables wizard-type functionality); “Flash” inspired by Ruby on Rails, which is used in Master-Detail situations; …
12. FacesConcext used during startup/shutdown eases the business of keeping things tidy.

I may have missed one or two points during this rather information-intense session. Nevertheless interesting stuff. Big take-home: JSF2.0 appears far easier to use than its predecessor. It’s also much bigger.

Conclusion: Valuable information, competently presented.

Having been asked 2-3 times at Jazoon about my JSF experience. I now have the impression that interest in JSF is pretty high – and growing. I’d have to go back and look at my notes about the project to see what we could have done better using these new features.

Session title: RIA Security: Broken by Design
From: Joonas Lehtinen, CEO IT Mill

IT Mill is the creator of Vaadin: A 100% Java tool for RIA.

Joonas outlines a spectrum of complexity from Basic site to 3D games examples:
Web Sites (Wikipedia), AJAX Sugar (Facebook), Full RIA

He divides „Full RIA“ divide into client side vs. Server driven. Gives a crash course in GWT.

Vaadin: Apparently 100% Java and server driven, which sounds an awful lot like ULC at this stage… But here’s a difference: It builds on GWT and relies on JavaScript on the client-side.

He goes on to present a bunch of development rules:

Rule #1: Don’t trust the browser
Rule #2: Complexity is a hiding place for bugs
Rule #3: Large surface give more opportunities for attack. This surface has increased with Web 2.0.

Difference between GWT and Vaadin architectures is that GWT relies on the client invoking a server-side Web Service API, whereas Vaadin renders the client’s view on the server.

Erm… he then offers the cures for the problems (Rules above)… which I miss because the explanation is compressed into around 5s.

I’m starting to dislike this presentation at this point. Because here comes another artificial security issue scenario… which guess which product solves. And I thought product placement in Hollywood movies was irritating.

The issues he raises are legitimate, but the lack of objectivity is obscuring the message. And as I write the presenter is debugging JavaScript which depends on analysing the DOM on the client side – I’m not sure if he’s now analysing the problem or trying to fix it!?

I am formally declaring myself lost at this stage. At least I hope the other attendees are getting something out of this presentation, which has lost focus IMO.

He continues with a discussion about attacking at the transport level, inserting new data on the fly. But come on: A secure transaction in this technical setting will operate under HTTPS, which in most instances will deal with this kind of attack. Unless, of course, that’s something else I missed.

I think I need a coffee!!!

First note that the speakers Ben Galbraith and Don Almaer are co-founders of ajaxian.com, which is clearly an AJAX-shop. They claim that Web technologies and Java went stagnent in the UI space. Ajax and JavaFX have the characteristics of a renaissance. They structure the talk in the form of a “discussion” or a series of arguments, where one supposedly pits the advantages of said technology against the other.

•    Argument #1: Java performs way faster than JavaScript; on the other hand JavaScript is getting faster all the time (V8 team at Google); plus apps like Google wave demonstrate that performance is good enough.
•    Argument #2: Responsiveness improved by worker-threads in a Java GUI. Yet using “web workers” we can overcome the limitation of JavaScript to a single thread. Demo of Pictastic proves the point. Having said that, web workers are still 10 times slower than Java; plus the API is extremely limited. In “web worker”, worker threads don’t share state, which is way safer than the totally flexible Java approach.
•    Argument #3: GC way more advanced in Java. On the other hand, incremental GC in Mozilla is improving all the time. A lousy fact of the JVN is having to determine how much memory the app requires (or how much is available) wherever the app is deployed.
•    Argument #4: Graphical capabilities of Java surpass what web apps can do. But performance of Bubblemark benchmark app shows that Google chrome achieves 100 frames per second. By comparison JavaFX achieves 24 FPS. With vector graphics Chrome is back down to 30 FPS. What the speakers don’t consider is that JavaFX is a very new and to-date under-optimised technology.
•    Argument #5: An Ajax 3D demo “metatunnel” is pretty impressive. Most browsers, apparently, are offering 3D extensions. It’s still at the experimental stage, however. JavaFX, on the other hand, has nothing to show in 3D.
•    Argument #6: Java is weak on fonts. The speakers claim that can’t use native fonts in Java (is this true? I seem to remember supplying Java with some additional fonts some years back.) Control over fonts in the Ajax world is even more limited, however.
•    Argument #7: JavaFX provides “amazing” video support. Counter argument: Flash plugin us ubiquitous and surpasses JavaFX in terms of maturity. Open Web Video offers sophisticated video functions.
•    Argument #8: Binding in JavaFX is compact and elegant. Web toolkits are very clumsy by comparison. The speakers quickly mention Mixins, Animation and Effects. All of this is way easier in JavaFX…
•    Argument #9: Legitimate critisisms are raised about JavaFX syntax. Speakers suggest that JavaScript is actually easier and closer to Java than JavaFX Script. And, of course, JavaFX totally lacks widgets like table/tree. Web toolkits even provide some very cool layout management and tools for constructing GUIs.
•    Argument #10: Tooling superior in the Java world.
•    Argument #11: Deployment. Web wins here, obviously, except for significant browser incompatibilities. Applets, Mac etc. are lousy too, however.

Conclusion: A pretty damning result for JavaFX, which is for the most part justified (at least today.) What the speakers fail to do, however, is talk more fairly about the significant problems faced by AJAX developers on a daily basis.

Canoo’s CEO Hans-Dirk Walter is presenting a one day course on Rich Internet Applications and AJAX on 12th September 2008.

The RIA course is part of a three day training “Web-basierte Informationssysteme” from 10th to 12th September 2008 and will be held in German at the ETH in Zürich. Participants may choose to attend only one day or the entire course.

Praktisch alle Menschen haben Zugang zum “Web”, sei es privat, dienstlich oder zunehmend auch mobil. Das Web ist damit praktisch jederzeit für jedermann verfügbar. Der große Erfolg des Webs liegt darin begründet, dass das Web die Kosten für das Abrufen und Bereitsstellen von Information stark reduziert hat. Dieser dreitägige Kurs stellt die grundlegenden Technologien des Web und der Entwicklung von Web-basierten Anwendungen vor. Am ersten Tag werden Web Services und dienstorientierte Softwarearchitekturen (SOA) vorgestellt, die die Grundlage für verteilte Informationssysteme bieten. Am zweiten Tag wird XML als eine der grundlegenden Technologie zur Repräsentation, Speicherung, Austausch und Verarbeitung von Information vorgestellt. Am dritten Tag werden Rich Internet Applications und die Programmierung von modernen graphischen Benutzerschnittstellen behandelt.

Here is a summary of the RIA topics that will be presented (in German):

Rich Internet Applikationen (RIA) sind die nächste Generation der Webtechnologie. Sie verbessern die Benutzerschnittstellen und erweitern den Anwendungsbereich von Webapplikationen entscheidend. Ihr wesentlicher Beitrag: sie verbinden die Vorteile server-basierter Web-Technologie mit Interaktionsmöglichkeiten für den Benutzer, die man sonst nur von lokal installierten Desktop-Applikationen kennt.

Durch das Schlagwort AJAX und Anwendungen wie Google Maps, Flickr oder e-Opinion, die mit dieser Technologie implementiert sind, wurden Rich Internet Applikationen über die technische Entwickler-Community hinaus bekannt.

Häufig wird übersehen, dass AJAX nur eine (sehr einfache) Implementierungsalternative ist, um das übergeordnete Ziel ergonomischerer Benutzerschnittstellen zu realisieren. Dieser Kurs gibt einen Überblick über die Ziele, die man durch den Einsatz von RIA Technologie verfolgt, die Architektur und Entwurfsmuster für Rich Internet Applikationen sowie einen Überblick über Technologiealternativen, um solche modernen Systeme zu realisieren. Zusätzlich zu den Konzepten werden Demonstrationen und praktische Beispiele geliefert, um eine richtige Erfahrung mit diesen Technologien zu bekommen.

Summary of the Course Details:

When: Wednesday 10th September 2008 to Friday 12th September
Where: ETH Zürich, IFW-Gebäude, Hörsaal A 36 , Haldeneggsteig 4
Lecturers:
Prof. Dr. G. Alonso, ETH Zürich
Prof. Dr. D. Kossmann, ETH Zürich
Dr. H.-D. Walter, Canoo AG
Course name: Web-basierte Informationssysteme

Register for this course at the ETH Zürich website.

This course is part of an ETH Zürich course program for IT professionals called “Kompaktkurse für Informatiker”.

it management has published an article by Canoo’s CEO, Hans-Dirk Walter on building Rich Internet Applications (RIA) for business applications (in German only).

The article provides a short introduction to RIA and some of the business benefits it offers such as automating global business process, consolidating applications or enabling Software as a Service (SaaS). The article discusses the various evaluation criteria that are relevant when selecting a technology.

• An welche Benutzer richtet sich die Anwendung – soll sie innerhalb eines Unternehmens oder als B2B-Lösung mit Geschäftspartnern eingesetzt werden oder richtet sich die Anwendung an beliebige Benutzer im Internet?
• Wie arbeiten die Benutzer mit der Anwendung? Wird sie gelegentlich aufge-
  rufen oder wird sie von Experten täglich und sehr intensiv zur Erledigung
  von wichtigen Aufgaben verwendet?
• Handelt es sich bei der Anwendung um eine Geschäftsanwendung (z.B. ein CRM- oder ERP-System) oder um eine Anwendung mit Unterhaltungscharakter, in denen Animationen und Multimedia eine grosse Rolle spielen?

A .pdf is available online in the press section of the Canoo website.

Canoo has released a new sample application at ria-map.net. The application shows typical Web 2.0 interface elements such as tagging or Flickr-like editing fields.

I asked the developer, Jonas Zuberbühler, the following questions on the new Canoo sample application.

SW> What is riamap?

riamap is a Web 2.0 community site that maps the world of Rich Internet Applications. Unlike mere information aggregators on the topic, it builds on user contributions to assemble not only a list of current RIA technologies, but also how they relate to each other.

Users can explore what technologies are available, what they have in common, how they differentiate, what competitors they have and how they complement each other. These relations make up a graph that any user can extend by adding new connections or voting how strong any such connection based on his or her own judgment.

SW> What technologies did you use to build it?

We used Grails for the web application framework and Groovy as it is the perfect partner for implementing server-side logic.
In addition, we used Prototype, Scriptaculous and LivePipe to integrate AJAX features and to improve the user interface.

SW> Why did you select Grails? Why not adapt an existing PHP- or Java-based content management system?

Canoo has a strong footing in Java and Grails is the perfect choice for developing Web 2.0 applications on the Java platform. We can build on our solid understanding of this ecosystem and use all the existing tools for development, deployment and operations. On top of this, Grails provides us with the concise, expressive and interactive development style that modern applications require.

Further screenshots:

To get a login for riamap, sign up here to join riamap. Try out the various Web 2.0 interface features. If you feel like adding information on a RIA technology, enter the details here or edit an existing entry.

This morning, I attended the second keynote at JavaPolis 2007 in Antwerp. Although it was not the “big” keynote (that one was held by James Gosling the day before), it was definitely the more interesting one to me. This is why:

First, the Java community was hit by two extremely cool Flex demonstrations: at the beginning, Bruce Eckel and his co-speakers showed a Flex-based data manager framework that allows transparent and smooth synchronization of client-side and server-side business data, even between multiple clients and with clustered server nodes. Data changed on one client gets synchronized to the server (for example: to all cluster nodes) and then back to all connected clients. Not only does it allow the application to determine the “transaction commit point”, but it also provides support for conflict handling (again, the conflict reconciliation handling can be fully controlled by the application). Whenever a client goes offline, data changes are locally tracked and synched back to the server as soon as the connection is re-established. Failed cluster nodes get updated as soon as they rejoin the cluster. In addition, the data manager can also be used with Ajax applications. Although the demo application looked quite “ugly” (for a Flex demo …), the technical brilliance led to spontaneous applause …

The second rocking Flex demo was Parleys.com beta: well-know for slick and smooth video and slide show streaming, Parleys.com is about to get a face-up. Well it’s more like a revolution. While it was based on Ajax in version 1.0, the new technology chosen is Flex. Of course, the visual effects are extremely slick and appealing. But what is way more interesting to me from a RIA point of view is the integration of the online, browser-based version with an offline Parleys.com client application based on AIR. When both clients are running, the browser-based one automatically gets enhanced by features available in the offline client – such as offline video availability – by smoothly adding new buttons and actions to the online client. That really rocks from a user experience and integration point of view! The new Parleys.com version is about to be released in Q1/2008.

But there is a fight-back from the Java side: also worth mentioning here is the Java approach of browser-based RIA that was demonstrated in the IRIS sample application. First showed to the public at the last JavaOne, this application does not stand behind the Flex-based ones in any way when it comes to visual effects. The IRIS approach smoothly integrates Java applets with an ajaxified Web application. It was almost impossible to say what feature was powered by the applet and what was done using Ajax – and what was done by tightly combining these two technologies even for a single user interaction. The revival of the applets!

To me, all these demos really show to me that RIA is still steadily increasing in importance. There is way more than just adding a few fancy Ajax effects to static web page – and the big vendors and technology owners are pushing the car forward. And the desktop is really moving back into the RIA world – it is no longer all about pure (and old) browser technologies, but about JNLP, applets, AIR & Co.

But there was also another unexpected “flasher” in that keynote: JavaME. JavaME? Isn’t it dead? No, it’s not! Sun showed up with the new Netbeans Mobility 6.0 that extremely simplifies the development of JavaME-based games. But not only games, also business applications are finally showing up in the JavaME space (and are supported in a graphical way by the mobility tool). Using the SVG-rendering facility available in the MSA (Mobile Service Architecture), these UIs now can really look awesome (forget these old and ugly “text-based” mobile UIs …). And by adding JavaFX Mobile to the scene, Sun is pushing the Java mobile stack even further. As with Google’s Android, Sun aims to provide a complete software stack based on a Linux kernel that offers Java-based APIs to all phone capabilities which are then used by all the device vendors, third party RIA software service providers and the community to develop new-class mobile RIA applications. It will be very interesting to see whether Sun or Google (or both?) will make the deal with their approach. In the end, I think the device vendors are going to decide this battle: every cool software platform is only worth noting if there are a big bunch of devices available that ship the software by default.

A few resources:

• http://meapplicationdevelopers.dev.java.net
• http://community.java.net/mobileandembedded

All this mobile stuff now really seems to shake a leg. Very exciting!

Here are the slides of the recent Java User Group Switzerland event on Rich Internet Applications:

Bruno Schäffer on “RIA for Business – What’s next?”.

Björn Müller on “AJAX – Reality Check”.

Ryan Stewart on “The RIA Landscape”.