techno.blog("Dion")

One of the controversial points of EJB 3, is whether it should be backwards compatible. The programming model is so different, that it hardly seems right to force 2.1 compliance, but rather, make that an option.

In fact, one of the instant poll questions at TheServerSide Symposium backed this up:

How do you think the EJB 3 spec should handle backwards compatibility (e.g. to allow for a Spring compliant version)

1) Make EJB 2.1 support and below MANDATORY
2) Make EJB 2.1 support and below OPTIONAL (a check box for vendors to compete)

The results came back as ~80% of the crowd wanting this to be optional. Linda DeMichiel mentioned on the panel that she did hear the community here, although I do realise that she has other groups wanting other things. Kudos to her for being the spec lead ;)

Many people at the show laid their point down:

Tim Dawson: Vendors don’t care that the spec enforces backwards compatibility, they care about which server vendors do!

Hear, hear,

We also know that many dev groups need to be able to say “I am using EJB compliant software”. This is from vendors to ISVs to large IT organizations. It is a reality. And, although a couple of vendors told me at the show:

Spring can support the EJB 3 annotations, so they will be source-code compliant…

I think this is short sited. You can’t say “Oh, well we aren’t EJB 3 certified, but we do grok it. Promise”.

So, what if the EJB spec does continue to enforce EJB 2.1 compatibility?

I am not as worried about this anymore. Of course, I would love to see the likes of Spring able to support EJB 3, but there is a good solution if it isn’t the case. Geronimo/Spring integration.

What if Geronimo had first class integration with Spring? Spring Beans/modules could automatically be loaded up with no need for anything else. There are many, many ways in which the two could integrate, and I have heard of some very exciting possibilities from the teams.

What this does, is that it changes the game. We can get the best of all worlds.

If you work in a place that requires “application servers” and the like, you can just use Geronimo for that need… which will be a fully compliant EJB 3, J2EE 5, server.

So, I predict that:

Geronimo will become the server to run the Spring framework within.

Imagine it! EJB 3 view on your Spring modules! No need for Spring to have to implement the spec at all!

You tend to see a lot of copy ‘n paste reuse in JavaScript usage. It just seems to be that kind of mentality. One example of this, is asking for ‘permissions’ from the browser that you may do when building a rich application.

For example, Ben and I had to do this for RSSBling (rich javascript RSS viewer with dynamic offline capabilities).

Security Management with Mozilla

Mozilla needs permission to open up the platform (such as reading from disk, writing to disk, talking to different hosts, etc).

This is where you can sign your code.

You need to ask permission to use these features, which can look something like:

try {
if (netscape.security.PrivilegeManager.enablePrivilege) {
netscape.security.PrivilegeManager.enablePrivilege('UniversalBrowserRead');
}
} catch (ex) { // eat it
}

Security Code Duplication

You often see duplication such as:

function getFeeds() {
try {
if (netscape.security.PrivilegeManager.enablePrivilege) {
netscape.security.PrivilegeManager.enablePrivilege('UniversalBrowserRead');
}
} catch (ex) { // eat it
}

var xhr = new XMLHttpRequest();
xhr.open("GET", ((useProxy) ? proxyBaseUrl : "http://") + baseUrl + "/listsubs", true);
xhr.onreadystatechange = function() {
parseFeeds(xhr);
};
xhr.send(null);
}

function buildFeeds(feedXML) {
showLoading();

try {
if (netscape.security.PrivilegeManager.enablePrivilege) {
netscape.security.PrivilegeManager.enablePrivilege('UniversalBrowserRead');
}
} catch (ex) { // eat it
}

var outlines = feedXML.getElementsByTagName('outline');

...
}

etc etc, duplicating the security piece

Security Code Encapsulation

Firstly, we don’t want to have all of those lines of code. You could fall into the trap of coming up with:

function securePrivilege(priv) {
// insert the try/catch code from above, plus anything for the other browsers
}

Then you could make sure that you call securePrivilege('UniversalBrowserRead') before you need it. This will not work at all, as the way that enablePrivilege does its job, is that the privilege that you secure, is only applied in that scope. This means that the priviledge is only even around INSIDE securePrivilege(priv), and is thus useless :)

Security Code Encapsulation with Closures

Luckily, JavaScript has some nice features which allow us to get around this problem. What you can end up doing, instead of calling securePrivilege(..), you call a method which:

• Takes the function to call
• Sets up the priviledge
• Calls the function

This could look something like this:

function applyPriviledge(priviledge, functionCallback) {
// -- enablePriviledge first
try {
if (netscape.security.PrivilegeManager.enablePrivilege) {
netscape.security.PrivilegeManager.enablePrivilege(priviledge);
}
} catch (ex) { // eat it
}

// -- Call the function itself
functionCallback()
}

// -- Helper functions for particular priviledges
function applyReadPriviledge(functionCallback) {
applyPriviledge('UniversalBrowserRead', functionCallback);
}

You would use this with something like:

function getCount() {
applyReadPriviledge(setupXHR);
}

function setupXHR() {

var xhr = new XMLHttpRequest();
xhr.open("GET", "http://sqlaop.com/xhr/counter.jsp", true);
xhr.onreadystatechange = function() {
countCallback(xhr);
}
xhr.send(null);
}

function countCallback(xhr) {
if (xhr.readyState == 4) {
if (xhr.status == 200) {
applyReadPriviledge(function() {
updateCountDom(xhr.responseXML)
});
} else if (xhr.status == 401) {
alert("Username or password incorrect");
} else {
alert("Some kind of HTTP-related glitch occured.");
}
}
}

Encapsulated, but not rid of the cross cutting concern

This is certainly a lot nicer than copying and pasting the lines of code all over, but wouldn’t it be nice if I could say:

Whenever I make a call to XMLHttpRequest, or working with a DOM back from it, or … then please apply the security first

What am I asking for? Well. JavaScript AOP of course! ;)

Adrian Colyer is here at TSSS. It is always a pleasure to chat with him, and he just today posted on The New Holy Trinity.

The nice part of this piece, is that Adrian has taken a lot of what has been said in this area, and puts it together in a nice way. It is one of those resource blogs which you shove up in del.icio.us for use in the future.

Cameron simply doesn’t get it. I am all for AOP, as you can probably tell (based on Hani’s findings ;).

However, I am also very anal about the beauty of SQL, and how relational algebra can be PROVEN. This is one of the reasons why it can be tempting to write code based on this model versus procedural logic which can not be proven.

What the hell happens to this model when AOP gets in the middle? It screws everything up, that is what happens. How can I prove something when an aspect can be weaving into my SQL code on the fly. It just doesn’t work.

However, that being said, if tool support comes along, then it WOULD be tempting to give this all up to get the bonuses of SQL AOP.

I think the jury is still out on SQL AOP.

When you are at a conference it is often really tough to have a smooth ride wrt wireless.

One of the key factors in my experience has been, that top notch stable networks are:

Sponsored by Nortel (or Linksys, or insert other company)

rather than:

Sponsored by [A non networking company]

James Duncun Davidson was talking about the challenges of setting up a conference WiFi setup.

There are issues such as how multicast on a WiFi network becomes N unicast messages. DHCP itself is multicast, so you can easily get into network storms if you are unlucky. You probably shouldn’t give leases for 2 years out to the nodes either…

Also, 802.11b screws up things, so a lot of places try to have two seperate networks for b and g.

Interesting challenges. WiFi is the #1 thing I look for at a conference (I don’t care about the food, or the back-pack!). Hopefully next TSSS will have a less frustrating situation ;)

John Reynolds is worried about the idea of having JavaScript run rampant with Ajax.

I totally understand the concerns however, I have a couple of comments:

• JavaScript and Ajax isn’t the problem. It is how you deal with it. For too long JavaScript == ‘for the web developer to hack away’. We do need tools, and we need practices to help manage them. I would love a clean way to declare “this JavaScript wants to import FooModule version 2.3″ and it is all managed for me (for example).
• Don’t use the technology for the sake of it. Compare the effort to your other choices. E.g. look at Google Suggest. Would it be better for them to have a FLASH version to do the work? or use Ajax?
• Frameworks will be here to help. A lot of components can be written to grok this technology so you don’t have to write the JavaScript. We will just have richer widgets.
• XMLHttpRequest isn’t new!

Development is all about tradeoffs. I think that there are situations where the correct tradeoffs mean that Ajax is a good solution.

This is very cool. Although, it probably shows you what you thought was common sense, it is great to see true analysis.

A joint eye tracking study conducted by search marketing firms Enquiro and Did-it.com and eye tracking firm Eyetools has shown that the vast majority of eye tracking activity during a search happens in a triangle at the top of the search results page indicating that the areas of maximum interest create a

ThoughtWorkers have released a test tool for web applications named Selinium.

Selenium tests run directly in a browsers, just as real users do. And they run in Internet Explorer, Mozilla and Firefox on Windows, Linux and Macintosh. No other test tool covers such a wide array of platforms.

• Browser compatability testing.

  Test your application to see if it works correctly on different
  browsers and operating systems. The same script can run on any Selenium
  platform.

• System functional testing.
  Create regression tests to verify application functionality and user
  acceptance.

Selenium uses a unique mechanism which allows it to run on so multiple
platforms. Installed with your application webserver, Selenium automatically deploys it’s JavaScript automation engine — the Browser Bot — to your browser when you point it at the Selenium install point on your webserver. Thus, you must have write access to the machine your web application server is running on to install Selenium.

To get a quick feel, checkout an example TestRunner and run all of the tests. You will graphically be walked through the tests, with changing content letting you know what is passing and failing.

How does Selenium work?

Selenium uses JavaScript and Iframes to embed a test automation engine in your browser. This technique should work with any JavaScript-enabled browser. Because different browsers handle JavaScript somewhat differently, we usually have to tweak the engine to support new browsers.

A new ANSI-SQL standard has been released, named SQL-AOP 2015. The aim of this sub-spec is to take SQL to the next level, and enable AOP support. Now, your DBA can package cross cutting concerns in “stored aspect libraries” in the database.

Some of the features include:

• Rich pointcut language for SQL
• Capture before/after/around advice on any SQL statement
• Advise PL/SQL, T-SQL, or other code
• Force caching semantics based on AOP policy advice
• Logging
• TX semantics
• Security filters (including: instance based)

You can capture rich semantics such as:

Before the trigger named ‘foo’ causes a change to index ‘x’ make sure that you update ‘bar’

Load up the cache for tables x, y, and z, when a SELECT captures fields f1, and f2, on table t1

Larry Ellison was quoted as saying:

SQL-AOP is going to revolutionize the world of computing. The database is the network. Finally, my vision of the network computer can come to fruition and I can finally make fun of my good friend Steve Jobs.

A developer at TheServerSide symposium responded with:

Finally, I can get rid of the logging code that I scatter in my PL/SQL scripts. This is a god-send for database computing.

Microsoft SQL Server specialists commented that:

We are watching the standard closely, and will only copy from those that go before us. We also have MSSQL-AOP that we are working on, that is similar to this standard, but we changed some of the names, and embedded it into the core .NET framework.

It is great to see more companies come along with open source contributions a la http://opensource.adobe.com.

The main seed release revolves around Adam and Eve:

Adam is a modeling engine and declarative language for describing constraints and relationships on a collection of value, typically the parameters to an application command. When bound to a human interface (HI) Adam provides the logic that controls the HI behavior. Adam is similar in concept to a spreadsheet or a forms manager. Values are set and dependent values are recalculated. Adam provides facilities to resolve interrelated dependencies and to track those dependencies, beyond what a spreadsheet provides.

Eve consists of a declarative language and layout engine for constructing an HI. The layout engine in Eve takes into account a rich description of UI elements to achieve a high quality layout – rivaling what can be achieved with manual placement. A single HI description in Eve suffices for multiple OS platforms and languages. This document describes Eve2, the latest version of Eve. Eve2 was developed to work with Adam and to incorporate many improvements that have been requested since Eve1 was written.

It is important to note that Adam and Eve do not constitute a traditional application framework. They are component libraries which can be incorporated into a number of environments. They can be used together, or independently, but must be combined with other facilities to construct an application. Nearly all of the components which comprise Adam and Eve can also be used independently and are documented as part of ASL.

ASL is being developed in C++, and relies heavily on the Boost libraries http://www.boost.org which are required for building ASL.

It seems like companies are coming out with two forms of community news:

1. New Open Source Contribution!
2. New Web Services APIs To Our Services

There are some interesting differences between the two :)