Rich Internet Applications (RIA)

If you are reading this then you are quite likely a Jazoon 2010 attendee looking for more information about the mysterious “Hackergarten Jazoon” session blocked in your Wednesday night conference schedule. Welcome Aboard! Here is what you can expect:

1. A room will be announced when we know it
2. Drinks and food will be provided by Canoo
3. During the evening, everyone will try to contribute in some way to an open source software project.

Here are some of the contributions we made at past Hackergartens:

• A Twitter plugin for the Gradle build system
• A Growl/Notification plugin for Gradle
• Several Swing related plugins for the Griffon application framework
• A Grails Elastic Search plugin
• An inhancement to the Groovy language to aid logging

We have several ideas for projects to work on, but please feel free to show up with your own or leave a comment here with your idea. The past events have been Groovy focused, but Java, Scala, Clojure or whatever are all perfect. A few of the speakers have said they would attend and Griffon project lead Andres Almiray will be there. Pairing with an expert is a wonderful way to learn.

As people show up we Canooies will help you find other people with similar interests. Once you have 2-6 people in your group then it is up to you to start working. In the past, the most effective project groups are around 5-6 people, which creates 2 or 3 pair programming teams. Any larger than that and you spend too much time organizing yourselves. Near the end of the night you should wrap up your work and submit a patch to the project. Canooies are around to help you with patches, version control, tools, expertise, or anything else you might need.

Here are some of our project ideas, but please leave a comment here with your own! And remember, you have at most 4 hours so think small. There is no project too small… a 2 line patch is the Open Source developer’s equivalent of a CHF 10 bottle of wine. It might not be appropriate to the current meal, but it is almost always appreciated.

• Griffon-Hudson Plugin similar to the Grails plugin
• Griffon Substance Look and Feel Plugin
• Groovy Static Analysis Rules – Similar to Find Bugs but for Groovy
• Groovy @Log Transformation extensions – There is some small work to do in Groovy Core
• Find Bugs statis analysis rules for Java
• Gradle Find Bugs plugin
• Gradle JavaNCSS plugin

Post your ideas below, and see you on Wednesday.

Session title: Agile and Secure; Can we do Both?
Speakers: Jason Li & Jerry Hoff, Aspect Security

 Goal: To try to get developers to think about security early on in the development process.

Jason begins with a brief description of a common security flaw (in AJAX apps at least) XSS, which typically involves replacing regular text with a malicious piece of JavaScript. Example attack: The JS steals the end-user’s cookie by querying the DOM. A cross-site request forgery might subsequently be mounted by using the stolen cookie from within a new application context such as mail in order to delete all the users mail.

Another example – SQL injection – is when part of a SQL statement is replaced with a semi-colon followed by another statement e.g. DROP TABLE… which is obviously bad news.

With that whirlwind tour of web security… how to fix the process which results in such errors?

Speakers refer to the waterfall and explain how in each of the chunky phases activities include (or should include) security; security requirements, security design etc…

Speakers then argue that embellishing the highly iterative agile process in the same way as was done for waterfall is not practical. Blogger agrees… the granularity of the activities is too fine to permit the kinds of security analyses which are required. So what’s the solution?

They recommend…

Leveraging user stories

Prerequisite step: Ensure that all developers have received adequate security training

Another prerequisite step: Get management to fund this (gets a laugh!)
Alternatively: The OWASP Open Web Application Security Project is an organization providing resources which provides heaps of information on attacks points and solutions for these.

Leverage unit testing… and include security tests in the unit tests. This is obviously particularly effective in a continuous integration environment.

To speed up this process, use common security components such as those at Open Enterprise Security. Organizationally, this needs to be communicated across the development team(s).

Leverage and consolidate sprints… and ensure that all security stories are included in each sprint. For dealing with security stories which don’t fit into any particular sprint, run sprints that are focussed solely on security.

Great line (paraphrased): Web apps are a kind of “perfect storm” comprising a complex mixture of technologies, which results both in a large attack surface area as well as numerous subtle edge cases which make us more vulnerable.

Couldn’t agree more!!!

I found this talk excellent both stylistically and, more importantly, in terms of content. There are still voices out there which claim that agile in some way incompatible with quality. Talks like this should go some way to quell those remaining voices. Although the pair used AJAX’s inherent security vulnerabilities to highlight the necessity for a systematic approach to security in agile environments, much of what they recommend applies to any agile environment, whether it is creating AJAX applications or not.

Session title: Securing AJAX Applications
Speakers: Moritz Kuhn, Philipp Färber – AdNovum Informatik AG

The subtitle of this talk is: “New threats and defenses?” Does the question mark imply that they will question the existence of new threats?

Speaker Moritz begins by citing some interesting attacks which took place recently, one of which took down myspace for a period of time – apparently using a simple JavaScript payload.

Proceeds to explain the “Same Origin” policy, which is designed to prevent a JS script in one frame from accessing the DOM in another frame. Note that this is enforced at the Window’s border. However, the rules are very complex and apply to cookies, XHR… and several other areas.

XMLHttpRequest has a stricter security model, which is often a pain for developers because it is inflexible, yet it is too loose for engineers because it is ambiguous.

Cross-Site Scripting (XSS) is an attack which exploits ambiguity in Same Origin rules.

Cross-Site Request Forgery (CSRF) when the victim is logged into an authenticated web application and his browser stores a session cookie for the app. The attackers web page makes the victim’s browser send a request to the vulnerable web app. The victim’s browser appends the cookie to the end of his request.

Speaker demos these attacks by showing how an attacking app can insert JavaScript code into a calendar; points out that the code could contain anything… reading email for example. Scary stuff!

How to combat these threats? Philipp takes to the stage…

Begins by contrasting classic and AJAX architectures, which increases awareness of the technical interactions involved between the parties.

Looking from the server-side, need to consider that the attack-surface is increased in an AJAX architecture e.g. via exposed services, protocols, sessions, domains. Also: code contains call params and service URLs. Finally, there are concurrency issues.

From the client side, new attacks are around like JSON hijacking and DOM-based XSS with URl fragments.

A final observation from the speaker is that one of the consequences of all this is that testing is getting harder. Exhaustive testing is obviously out of the question.

Counter-measures:

Input validation, output encoding, service hardening. Retain awareness of the technologies you are using. Defensive design involves avoiding mashup-like services, KISS and using separate domains for public and private data. Points out the fact that the Google domain strategy is open to XSS attacks.

Some AJAX-specific counter-measures: Know the output’s insertion context (don’t allow angled brackets in the output, for example!); Ensure no sensitive data is sent to the client (be aware what your frameworks are sending!); Prefix all JSON replies e.g. ‘while(1); {”x”:”y”}’; Add a random number to a response and match it up when the next request comes in. This can’t be predicted in advance by an attacker (I like this!); Validate services responses – also in the client; Understand and use a secure framework e.g. GWT, prototype, jQuery…

Rigorous testing is obviously a must; Designing for security/testing upfront is a must; Test individual AJAX features individually; Simulate malicious requests…

Conclusion: AJAX means: Old threats + new threats + higher complexity = bad news.

Summary: I never cease to be shocked by the degree of details and complexity which the developer has to be acquainted with in order to make an AJAX-based app secure. The reality of AJAX development is that in most projects the developer will be focussed on delivering the the core business requirements and getting the look and feel right. With this focus security holes are virtually inevitably.

A very worthwhile presentation!

Title: Java SE and JavaFX RoadMap
Speaker: Danny Coward, Chief Architect, Client Software

Danny begins be showing the JavaFX roadmap…

Towards the end of the timeline: “JavaFX.next”
What on Earth could that mean?
In any case: JDK 7 release due early 2010.

Top 5 JDK SE 7 features

1: Modularity
Long overdue, the current JRE is around 14MB and contains a wide range of APIs. The average app only requires a small proportion of these. It also increases startup time.
Danny points out a number of weaknesses in the CLASSPATH concept. This will apparently be addressed by a low-level modularilty system entitled Jigsaw.
http://openjdk.java.net/projects/jigsaw/jcp.prg/en/jsr/detail?id=294
The concept externalizes the package depenencies to a module file… which reminds me of Eiffel’s solution to this issue which is donkeys years old.

2: Broadening the JVM to accelerate runtimes
DaVinci Project should result in a new bytecode model, which enables dynamic invocation, lightweight method handles and a variety of other optimizations.
http://openjdk.java.net/projects/mlvm

3: Java Language Additions
Project coin will result in a few small language enhancements:
http://openjdk.java.net/projects/coin
The switch statement will work with Strings.
Multiple Exception handling
catch (final IOException | ServletException e)

Improved type interence will remove the need to double-declare generics so:
List l = new ArrayList()
Becomes:
List l = new ArrayList ()

Elvis operator eliminates a significant cause of Java’s verbosity:
String s = mayBeNull?.toString() ?: “nothing”;

Integer ival = …
int i = ival ?: -1; // will be set if currently null

Must confess, this is not what I understand by the Elvis operator, but it looks useful nevertheless.

4: Four new I/O APIs
These include: New filesystem API, File notifications, Directory operations, Asynchronous I/O. The latter permits an IO task to be defined using a Future, the Future delivering the result at a later point in time.

5: New GC
New garbage collector “Garbage First” should result in predictably low pauses, few full GCs and good throughput. Can be accessed in Java SE6 update 14 using:
-XX:+UnlockExperimentalVMOptions –XX:+UseG1GC

This will be switched on by default in JDK 7.

Danny notes at this point that numerous other (small) features are also part of JDK 7.

JavaFX 1.2 Top 5
Danny begins by stating that Sun is trying to make up for lost time with JavaFX (as I have blogged in the past).

More platforms
JavaFX 1.2 runs on more platforms i.e. Linux and Solaris in addition to Windows and Mac. LG TV (purchasable in South Korea) incorporates JavaFX1.2. Finally, the HTC developer phone is also mentioned. Danny states that he hopes that phones will be available to consumers on the coming months. Don’t we all!?

New features
New widgets, charts, plus a new look and feel. L&F is possible via CSS, which is obviously a whole load easier than creating an L&F for Swing.
Improved layout management
Layout management: There are three new layout managers, but I know from experience these don’t yet cut it for non-trivial B2B apps.
There follow a series of nice looking demos, which highlight that JavaFx is scenegraph based.

Improved perforamance
Performance up: Realtime streaming for media is now supported, which improves media startup significantly. Various optimizations in generated code and scenegraph. Bytecode footprint is down 30%.

Improved data handling
More and better ways to use data. RSS and Atom feed support. A simple asynchronous framework is also included, plus a simple data storage API.

One final demo is really impressive: Using the bubblemark demo, Danny demos that JavaFX 1.2 performance is significantly better than Silverlight. Now that I would not have expected!

Session: Jsf and Ajax in the Credit Suisse
From: Benjamin Bratkus, Credit Suisse; Micha Kiener, Mimacom AG

It will be interesting to see what CS has been up to with JSF. My last JSF project finished early in 2008. I look back to it with pleasure not primarily because we used JSF but because we really got to use all of the key JEE features under Glassfish – which worked sweetly. JSF (which included facelets), on the other hand…

CS began with JSF in 2004. Corporations begin what they are, this resulted in a pilot (2005). Release 1 of their app took place in 2007. Since then CS claims to have one of the biggest JSF-based component libraries around.

 
Framework must support:

• Realtime data
• Handle huge data sets
• AJAX and JavaScript due to security aspects

…and must achieve acceptance by various architects.

The speakers also used ICEFaces to achieve the required level of interactivity and security. Specifically: Direct-to-DOM rendering (D2D), page level AJAX on existing components, AJAX Push capabilities.

Key to achieving efficient push: Asynchronous server push, which will apparently become standardised in the next version of ICEFaces. This approach frees up threads on the server-side, which is obviously essential for scalability.

Summary: Good talk, competent speakers. I still feel sorry for the average AJAX developer, who despite frameworks like ICEFaces is confronted with myriad non-trivial technical details. Plus, I imagine CS is not confronted with the other big pain for browser-based RIA: Multiple browsers.