From the Blogosphere

Oops! HTML5 Does It Again

Wed, 15 Feb 2012 07:28:00 EST

#HTML5 #infosec A multitude of security-related solutions rely upon the ability to extract and examine mime-objects from web-content. HTML5 may significantly impair their ability to do so.

The trade off between security and performance has long been a known issue across IT organizations. One of the first things to go when performance is unacceptable is a security solution. This isn’t just an IT phenomenon either; consider how many of us have disabled endpoint security solutions like anti-virus scanners to improve performance?

Our refusal to be slowed down by what may seem to some as extraneous security is what eventually led IT security professionals to revise their strategies and enforce such scans on inbound content in the network. Network-attached security scanning solutions have long been a staple of inbound e-mail and has found increasing use as a means to scan inbound web-content, as well, as an attempt to eliminate potential malware from having access to the corporate network.

IT Organizations That Trade Security for Performance Deserve Neither

A new [at the time of publication, July 2011] survey of 487 IT professionals that was conducted by Crossbeam, a provider of high-performance security gateways, finds that while 91 percent of the respondents were not only making tradeoffs between security and performance, a full 81 percent were actually disabling security features.

HTML and soon, if we believe the predictions HTML5, is the lingua franca of Internet communication. Oh, applications may speak JSON under the covers, but in the end it’s just data to be displayed to the user which means HTML(5).

What does that mean for anti-virus and malware web scanners? Well, if one of the features of HTML5 being leveraged is WebSockets, a lot. Otherwise, not much. At least not yet.

You see, WebSockets accidentally trades performance for security.

OOPS

One of the things WebSockets does to dramatically improve performance is eliminate all those pesky HTTP headers. You know, things like CONTENT-TYPE. You know, the header that tells the endpoint what kind of content is being transferred, such as text/html and video/avi. One of the things anti-virus and malware scanning solutions are very good at is detecting anomalies in specific types of content. The problem is that without a MIME type, the ability to correctly identify a given object gets a bit iffy. Bits and bytes are bytes and bytes, and while you could certainly infer the type based on format “tells” within the actual data, how would you really know? Sure, the HTTP headers could by lying, but generally speaking the application serving the object doesn’t lie about the type of data and it is a rare vulnerability that attempts to manipulate that value. After all, you want a malicious payload delivered via a specific medium, because that’s the cornerstone upon which many exploits are based – execution of a specific operation against a specific manipulated payload. That means you really need the endpoint to believe the content is of the type it thinks it is.

But couldn’t you just use the URL? Nope – there is no URL associated with objects via a WebSocket. There is also no standard application information that next-generation firewalls can use to differentiate the content; developers are free to innovate and create their own formats and micro-formats, and undoubtedly will. And trying to prevent its use is nigh-unto impossible because of the way in which the upgrade handshake is performed – it’s all over HTTP, and stays HTTP. One minute the session is talking understandable HTTP, the next they’re whispering in Lakota, a traditionally oral-only language which neatly illustrates the overarching point of this post thus far: there’s no way to confidently know what is being passed over a WebSocket unless you “speak” the language used, which you may or may not have access to.

The result of all this confusion is that security software designed to scan for specific signatures or anomalies within specific types of content can’t. They can’t extract the object flowing through a WebSocket because there’s no indication of where it begins or ends, or even what it is. The loss of HTTP headers that indicate not only type but length is problematic for any software – or hardware for that matter – that uses the information contained within to extract and process the data.

WEDGE NETWORKS

Wedge Networks, whose name you may never before heard even though you might have had content scrubbed by their devices and not known it, has a solution to the problem of disaggregating web objects without requiring specific identification by HTTP headers, thus solving this problem and several other similar ones where protocols lack the means to definitively identify specific content by type.

WedgeOS - Network Data Processor Architecture

The WedgeOS Network Data Processor ("NDP") is the proprietary architecture that allows content inspection at Gigabit speeds without impacting network performance. The WedgeOS NDP architecture revolutionized Web Security Appliances with the introduction of BeSecure. BeSecure is capable of intercepting and actively scanning all internet traffic for malicious content as it enters the network.

What they meant to say was “we do deep content inspection on streaming traffic and are able to accurately identify – and subsequently extract – MIME objects at line rate and then scan them for bad stuff you don’t want on your network.” Content comes into their device (and it’s off-the shelf hardware, I’m told), MIME objects are disaggregated regardless of transport or application protocol, shoved down a high-speed internal bus into which are plugged a variety of security scanning functions, and then shoved back out the other side, assuming all was well. Policies enable the ability to determine exactly what happens if there are anomalies or malicious code discovered.

Wedge Networks has partnered with a number of well-known and industry leading security scanning solutions and brought them together into a single device. Applying the old “crack the packet only once” doctrine, the device is able to perform its scans as fast as objects can traverse its internal bus.

The devices deploys in either proxy or transparent mode, with the latter being most popular simply due to the mitigation of disruption that can come with inserting a proxy-based solution into an established network.

Let’s assume for a moment that a Wedge Networks device really does accomplish all this – at line rate. I can’t know, I don’t evaluate products in lab environments any more, so I can take their word for it. But let’s assume it does. That opens a wide variety of possibilities – both inbound and outbound – for protecting web applications and customers alike, and not just for HTML5.

Assuming no degradation of overall performance, the ability to detect and prevent delivery of malware that may have been surgically inserted into your database or CMS via XSS or SQLi would be a boon, if only to let you know it happened much sooner and provide the time necessary to redress the infection. Nearly every rational organization scans inbound e-mail for potential risks, but very few (if any) scan outbound. We all know why – the belief that performance is more important than security, especially when consumer dollars are on the line. If Wedge Networks can do as it promises and not impede performance while still providing a valuable security service, well, that might be something to think about.

Connect with Lori:	Connect with F5:

Related blogs & articles:

Technorati Tags: F5,MacVittie,Wedge Networks,network,security,HTML5,WebSockets,malware,anti-virus,performance,application security,blog

Got REST? Build an HTML5 Mobile App

Thu, 09 Feb 2012 09:00:00 EST

There are literally thousands of different REST APIs available today, and new APIs are being created and exposed daily. There are API aggregator sites such as apigee.com and programmableweb.com that collect APIs from various sites. apigee.com makes available a very nice API console where a REST service can be tested. Testing a REST service is cool but what if you wanted to build a mobile app using it? Tiggzi, the cloud-based mobile app builder comes with a REST API console and makes it super easy to connect to any REST API. Check it out: 1. Enter any REST service URL. In this example I use Cocoafish Location API. Now, this is the most awesome part. You can use any REST URL here. You can of course do get, post, delete and push.

Domain Sharding On-Demand

Mon, 05 Dec 2011 09:00:00 EST

If you’re a web developer, especially one that deals with AJAX or is responsible for page optimization (aka “Make It Faster or Else”), then you’re likely familiar with the technique of domain sharding, if not the specific terminology. For those who aren’t familiar with the technique (or the term), domain sharding is a well-known practice used to trick browsers into opening many more connections with a server than is allowed by default. This is important for improving page load times in the face of a page containing many objects. Given that the number of objects comprising a page has more than tripled in the past 8 years, now averaging nearly 85 objects per page, this technique is not only useful, it’s often a requirement. Modern browsers like to limit browsers to 8 connections per host, which means just to load one page a browser has to not only make 85 requests over 8 connections, but it must also receive those requests over those same, limited 8 connections. Consider, too, that the browser only downloads 2-6 objects over a single connection at a time, making this process somewhat fraught with peril when it comes to performance. This is generally why bandwidth isn’t a bottleneck for web applications but rather it’s TCP related issues such as round trip time (latency).

Infrastructure Architecture: Whitelisting with JSON and API Keys

Fri, 14 Oct 2011 08:30:00 EDT

Application delivery infrastructure can be a valuable partner in architecting solutions …. AJAX and JSON have changed the way in which we architect applications, especially with respect to their ascendancy to rule the realm of integration, i.e. the API. Policies are generally focused on the URI, which has effectively become the exposed interface to any given application function. It’s REST-ful, it’s service-oriented, and it works well. Because we’ve taken to leveraging the URI as a basic building block, as the entry-point into an application, it affords the opportunity to optimize architectures and make more efficient the use of compute power available for processing. This is an increasingly important point, as capacity has become a focal point around which cost and efficiency is measured. By offloading functions to other systems when possible, we are able to increase the useful processing capacity of an given application instance and ensure a higher ratio of valuable processing to resources is achieved.

Adobe MAX 2011 Was Good Despite The Keynotes

Wed, 12 Oct 2011 08:30:00 EDT

Just came back from LA, where I spent three days at MAX – the main Adobe conference. Four people from our company were there and all liked it. I went there to see if the company is still strong, has a clear road map that, hopefully, matches my understanding of where IT population is moving.

HTML5 Local Storage – Building a Sample App in Tiggr Mobile Apps Builder

Thu, 29 Sep 2011 17:38:00 EDT

HTML5′s local storage is undoubtedly one of the most interesting and most talked about features in the HTML5 technology stack. Local storage is part of Web Storage specification and is supported by all modern browsers (destkop and mobile). Although local storage (or Web Storage) sounds rather sophisticated, the functionality is very easy to use. You basically get a map as storage inside the browser (available to all browser windows). You can insert, delete or read key/value pairs. That’s it. Data stored in local storage (localStorage) will be there when you close and open the browser. There is also session storage (sessionStorage). As the name implies, it will be only available as long as the browser window is open, and will be cleared when browser window is closed. The only other thing to know is that data saved by a page is only available for a pages from the same domain. In other words, a page loaded from abc.com, doesn’t have access to data saved by page from domain xyz.com.

Of These Ten Most Hated Jobs, How Many Did You Have?

Mon, 19 Sep 2011 11:00:00 EDT

Earlier this week Yahoo Finance ran an article on the 10 most hated jobs (based on a survey asking hundreds of thousands of employees at a major career site). What amazed me most - apart from the large number of IT jobs, including the top one, making the list – was that I personally was employed in no less than five of these . Now you may think: “What a miserable career that must have been!”, but to be honest, it never felt like that. Sure I can relate to some of dissatisfiers that people listed, such as a lack of direction from upper management (actually described for one of these jobs - guess which one - as “employers are unable to communicate coherently, and lack an understanding of the technology”). But overall I had good fun doing most of my five. In fact, some of my other jobs – although fun at the time - would have been more logical to make the list. As a student I was a part-time restaurant worker (even though my parents insisted the only job I was doing part-time was studying) and when that restaurant burned down I spend 3 months rebuilding it as a construction worker (hard hat and all). Both of which did not make the list.

More Mobile HTML5 Apps for Your Review

Mon, 05 Sep 2011 22:25:00 EDT

This week we have found more mobile HTML5 applications for your review. If you are like me, you want to see what others have done with HTML5 so you can start understanding how you can utilize HTML5 apps in your own enterprise. Salesforce has just announced a new application based on open standard HTML5 technology. The app will be available in 2012 and will run on most popular mobile devices. Salesforce CEO Marc Benioff says “The change in hardware is also being complemented by a huge change in software – and that software is HTML5. This software will give us the ability to build applications that run natively on mobile devices, but are also managed as a service…”

HTML5 Going Like Gangbusters But Will Anyone Notice?

Tue, 16 Aug 2011 09:15:00 EDT

There’s a war on the horizon. But despite appearances, it’s a war for interactive web application dominance, and not one that’s likely to impact very heavily the war between mobile and web applications. First we have a report by ABI Research indicating a surge in the support of HTML5 on mobile devices indicating substantially impressive growth over the next five years. More than 2.1 billion mobile devices will have HTML5 browsers by 2016, up from just 109 million in 2010, according to a new report by ABI Research. -- The HTML Boom is Coming. Fast. (June 22, 2011)

HTML5 - What I Am Learning

Sun, 10 Jul 2011 18:38:00 EDT

With all the discussion around HTML5, I thought I would spend some time getting to know more about it myself. I will be researching it and sharing what I am learning through a series of articles over the next month. I have read that it is expected to have a huge impact on mobile software applications and the business models of software vendors. Is it ready for prime time? I hear a variety of opinions on that subject. Sybase has stated that their goal is to "enable web developers to become mobile application developers" through the use of HTML5 and their mobile SDK that will come with SUP (the Sybase Unwired Platform). I was told by Nick Brown at SAP that version 2.1 of SUP would be out in the September 2011 time frame and this version will include HTML5 support and an HTML5 container.

Five Years Later: OpenAJAX Who?

Thu, 30 Jun 2011 11:45:00 EDT

Five years ago the OpenAjax Alliance was founded with the intention of providing interoperability between what was quickly becoming a morass of AJAX-based libraries and APIs. Where is it today, and why has it failed to achieve more prominence?

I stumbled recently over a nearly five year old article I wrote in 2006 for Network Computing on the OpenAjax initiative. Remember, AJAX and Web 2.0 were just coming of age then, and mentions of Web 2.0 or AJAX were much like that of “cloud” today. You couldn’t turn around without hearing someone promoting their solution by associating with Web 2.0 or AJAX. After reading the opening paragraph I remembered clearly writing the article and being skeptical, even then, of what impact such an alliance would have on the industry. Being a developer by trade I’m well aware of how impactful “standards” and “specifications” really are in the real world, but the problem – interoperability across a growing field of JavaScript libraries – seemed at the time real and imminent, so there was a need for someone to address it before it completely got out of hand.

With the OpenAjax Alliance comes the possibility for a unified language, as well as a set of APIs, on which developers could easily implement dynamic Web applications. A unified toolkit would offer consistency in a market that has myriad Ajax-based technologies in play, providing the enterprise with a broader pool of developers able to offer long term support for applications and a stable base on which to build applications. As is the case with many fledgling technologies, one toolkit will become the standard—whether through a standards body or by de facto adoption—and Dojo is one of the favored entrants in the race to become that standard.

-- AJAX-based Dojo Toolkit , Network Computing, Oct 2006

The goal was simple: interoperability. The way in which the alliance went about achieving that goal, however, may have something to do with its lackluster performance lo these past five years and its descent into obscurity.

5 YEAR ACCOMPLISHMENTS of the OPENAJAX ALLIANCE

The OpenAjax Alliance members have not been idle. They have published several very complete and well-defined specifications including one “industry standard”: OpenAjax Metadata.

OpenAjax Hub

The OpenAjax Hub is a set of standard JavaScript functionality defined by the OpenAjax Alliance that addresses key interoperability and security issues that arise when multiple Ajax libraries and/or components are used within the same web page. (OpenAjax Hub 2.0 Specification)

OpenAjax Metadata

OpenAjax Metadata represents a set of industry-standard metadata defined by the OpenAjax Alliance that enhances interoperability across Ajax toolkits and Ajax products (OpenAjax Metadata 1.0 Specification)
OpenAjax Metadata defines Ajax industry standards for an XML format that describes the JavaScript APIs and widgets found within Ajax toolkits. (OpenAjax Alliance Recent News)

It is interesting to see the calling out of XML as the format of choice on the OpenAjax Metadata (OAM) specification given the recent rise to ascendancy of JSON as the preferred format for developers for APIs. Granted, when the alliance was formed XML was all the rage and it was believed it would be the dominant format for quite some time given the popularity of similar technological models such as SOA, but still – the reliance on XML while the plurality of developers race to JSON may provide some insight on why OpenAjax has received very little notice since its inception.

Ignoring the XML factor (which undoubtedly is a fairly impactful one) there is still the matter of how the alliance chose to address run-time interoperability with OpenAjax Hub (OAH) – a hub. A publish-subscribe hub, to be more precise, in which OAH mediates for various toolkits on the same page. Don summed it up nicely during a discussion on the topic: it’s page-level integration. This is a very different approach to the problem than it first appeared the alliance would take.

The article on the alliance and its intended purpose five years ago clearly indicate where I thought this was going – and where it should go: an industry standard model and/or set of APIs to which other toolkit developers would design and write such that the interface (the method calls) would be unified across all toolkits while the implementation would remain whatever the toolkit designers desired.

I was clearly under the influence of SOA and its decouple everything premise. Come to think of it, I still am, because interoperability assumes such a model – always has, likely always will. Even in the network, at the IP layer, we have standardized interfaces with vendor implementation being decoupled and completely different at the code base. An Ethernet header is always in a specified format, and it is that standardized interface that makes the Net go over, under, around and through the various routers and switches and components that make up the Internets with alacrity. Routing problems today are caused by human error in configuration or failure – never incompatibility in form or function.

Neither specification has really taken that direction. OAM – as previously noted – standardizes on XML and is primarily used to describe APIs and components - it isn’t an API or model itself. The Alliance wiki describes the specification: “The primary target consumers of OpenAjax Metadata 1.0 are software products, particularly Web page developer tools targeting Ajax developers.” Very few software products have implemented support for OAM. IBM, a key player in the Alliance, leverages the OpenAjax Hub for secure mashup development and also implements OAM in several of its products, including Rational Application Developer (RAD) and IBM Mashup Center. Eclipse also includes support for OAM, as does Adobe Dreamweaver CS4. The IDE working group has developed an open source set of tools based on OAM, but what appears to be missing is adoption of OAM by producers of favored toolkits such as jQuery, Prototype and MooTools. Doing so would certainly make development of AJAX-based applications within development environments much simpler and more consistent, but it does not appear to gaining widespread support or mindshare despite IBM’s efforts.

The focus of the OpenAjax interoperability efforts appears to be on a hub / integration method of interoperability, one that is certainly not in line with reality. While certainly developers may at times combine JavaScript libraries to build the rich, interactive interfaces demanded by consumers of a Web 2.0 application, this is the exception and not the rule and the pub/sub basis of OpenAjax which implements a secondary event-driven framework seems overkill. Conflicts between libraries, performance issues with load-times dragged down by the inclusion of multiple files and simplicity tend to drive developers to a single library when possible (which is most of the time). It appears, simply, that the OpenAJAX Alliance – driven perhaps by active members for whom solutions providing integration and hub-based interoperability is typical (IBM, BEA (now Oracle), Microsoft and other enterprise heavyweights – has chosen a target in another field; one on which developers today are just not playing.

It appears OpenAjax tried to bring an enterprise application integration (EAI) solution to a problem that didn’t – and likely won’t ever – exist. So it’s no surprise to discover that references to and activity from OpenAjax are nearly zero since 2009. Given the statistics showing the rise of JQuery – both as a percentage of site usage and developer usage – to the top of the JavaScript library heap, it appears that at least the prediction that “one toolkit will become the standard—whether through a standards body or by de facto adoption” was accurate.

Of course, since that’s always the way it works in technology, it was kind of a sure bet, wasn’t it?

WHY INFRASTRUCTURE SERVICE PROVIDERS and VENDORS CARE ABOUT DEVELOPER STANDARDS

You might notice in the list of members of the OpenAJAX alliance several infrastructure vendors. Folks who produce application delivery controllers, switches and routers and security-focused solutions. This is not uncommon nor should it seem odd to the casual observer. All data flows, ultimately, through the network and thus, every component that might need to act in some way upon that data needs to be aware of and knowledgeable regarding the methods used by developers to perform such data exchanges. In the age of hyper-scalability and über security, it behooves infrastructure vendors – and increasingly cloud computing providers that offer infrastructure services – to be very aware of the methods and toolkits being used by developers to build applications. Applying security policies to JSON-encoded data, for example, requires very different techniques and skills than would be the case for XML-formatted data. AJAX-based applications, a.k.a. Web 2.0, requires different scalability patterns to achieve maximum performance and utilization of resources than is the case for traditional form-based, HTML applications. The type of content as well as the usage patterns for applications can dramatically impact the application delivery policies necessary to achieve operational and business objectives for that application.

As developers standardize through selection and implementation of toolkits, vendors and providers can then begin to focus solutions specifically for those choices. Templates and policies geared toward optimizing and accelerating JQuery, for example, is possible and probable. Being able to provide pre-developed and tested security profiles specifically for JQuery, for example, reduces the time to deploy such applications in a production environment by eliminating the test and tweak cycle that occurs when applications are tossed over the wall to operations by developers. For example, the jQuery.ajax() documentation states:

By default, Ajax requests are sent using the GET HTTP method. If the POST method is required, the method can be specified by setting a value for the type option. This option affects how the contents of the data option are sent to the server. POST data will always be transmitted to the server using UTF-8 charset, per the W3C XMLHTTPRequest standard.

The data option can contain either a query string of the form key1=value1&key2=value2, or a map of the form {key1: 'value1', key2: 'value2'}. If the latter form is used, the data is converted into a query string using jQuery.param() before it is sent. This processing can be circumvented by setting processData to false. The processing might be undesirable if you wish to send an XML object to the server; in this case, change the contentType option from application/x-www-form-urlencoded to a more appropriate MIME type.

Web application firewalls that may be configured to detect exploitation of such data – attempts at SQL injection, for example – must be able to parse this data in order to make a determination regarding the legitimacy of the input. Similarly, application delivery controllers and load balancing services configured to perform application layer switching based on data values or submission URI will also need to be able to parse and act upon that data. That requires an understanding of how jQuery formats its data and what to expect, such that it can be parsed, interpreted and processed.

By understanding jQuery – and other developer toolkits and standards used to exchange data – infrastructure service providers and vendors can more readily provide security and delivery policies tailored to those formats natively, which greatly reduces the impact of intermediate processing on performance while ensuring the secure, healthy delivery of applications.

Connect with Lori:	Connect with F5:

Related blogs & articles:

Technorati Tags: F5,MacVittie,Ajax,Dojo,OpenAjax Alliance,IBM,Microsoft,Adobe,development,Web 2.0,SOA,integration,interoperability,infrastructure

How a Java Programmer Should Select the Right Lane in a Supermarket

Mon, 16 May 2011 12:15:00 EDT

Christophe Herreman, a Java developer from Belgium, made the following tweet today: “At the supermarket, and I once again seem to have picked the wrong lane... I wonder if there is a strategy for this.” Being a member of the Java community myself, I feel obligated to offer my approach to making this very important decision that every Java developer has to make on a weekly basis. First, I need to make a statement: out of all APIs I like Java Message Service (JMS) the most. IMO, JMS is the right way of architecting loosely coupled and reliable distributed applications. I explained this five years ago in the fifth article of my dissertation titled "Yakov’s Gas Station". BTW, last week, I joined a project at a financial company and was pleasantly surprised learning that the trading application was build using just JMS, JNDI, and JDBC without the use of any other frameworks.

Thirty Tips to Improve JavaScript Performance

Sun, 15 May 2011 15:32:00 EDT

Are you a webmaster or web developer? Want to create super-fast websites? You may have Monitis’s recent posts sharing tips for improving the performance of Windows Server 2008 and Linux Servers, and we hope that they’ve helped you. Now, we’re moving on to Javascript — that wonderful — but complicated — technology that enriches sites but can often get in the way of their efficient operation and slow down the user experience. And improving the user experience — whether it’s consumers or sysadmins — is our mission at Monitis. Why? Because it has been proven that optimal end-user experience improves site conversion rates, Google search rankings and web visitor satisfaction rates. What does that mean? Better business for you and your company!

How to Highlight a Field in JSF When Validation Fails

Wed, 04 May 2011 08:03:00 EDT

Highlighting an input field that failed validation (or conversation) is a common UI practice today. This sort of functionality is not available in JSF (nor RichFaces) out of the box (Seam does have it). I got an email from RichFaces 4 workshop attendee from CONFESS_2011 conference asking how to do it and I thought it’s a good idea to make it blog post. It turns out, implementing such functionality is pretty simple. All we need to do is check if a particular field (component) is valid and then render or not render a style for the input field.

State Department Photos of My Abducted Daughter Sofia in Syria

Wed, 13 Apr 2011 18:45:00 EDT

Wednesday morning I received new photographs of Sofia from the State Department in Washington, DC. Sofia remains in Syria since being abducted in July 2010. The day after my last tweet regarding the lack of any new information about my abducted daughter Sofia since March 4, I received an updated letter on Thursday, April 7, 2011, from the State Department on Sofia's welfare in Syria. Sofia was abducted by her mother from the United States to Syria last July, following her diagnosis of GDD with possible autism. She had 13 remaining medical appointments left at the time of her abduction, none of which she was able to keep. Last week's welfare report prepared by our Embassy in Damascus, Syria, after their second welfare visit to the home in Syria where Sofia remains with her mother and grandmother, showed a bleaker outcome for my daughter than the previous report dated November 2010.

General Alexander on Technology

Mon, 28 Feb 2011 10:39:00 EST

Last week, General Alexander (director of NSA and commander, USCYBERCOM) spoke at the RSA conference in San Francisco. He pointed out the the explosion of technology over the past 10 years. That users went from an average of 250MB of personal files, to over 128GB. The fact that 70% of Americans online are on Facebook – that 600M users worldwide are as well. This, mixed with the huge advances in programming (Watson and Deep Blue) lets us know that we do have the capability to protect and defend our advanced networks. Related posts:

Why Go with RichFaces

Tue, 15 Feb 2011 11:45:00 EST

Lately I have seen a spike in questions such as which JSF 2.0 component library is better? Or RichFaces vs PrimeFaces and there is also performance comparison. It’s probably because JSF 2 is being used more and more and people want to know which library to use. I guess that’s fair. Here is my 2 [...]

Have a Seat Mr. Website Owner, It’s Time for a Little Introspection

Mon, 31 Jan 2011 07:15:00 EST

When a client signs a contract with me for a web design, the first thing I do is send them a three page questionnaire and request they answer as many questions as they deem appropriate. This questionnaire helps me get inside their heads and it helps me better understand their marketing objectives, the opinion of ...

Okta Seeks to Accelerate Secure Adoption of Cloud Apps

Mon, 31 Jan 2011 06:15:00 EST

"Enterprises everywhere are realizing the inherent benefits of running their core IT services in the cloud,” said Todd McKinnon, most recently VP of Engineering at Salesforce.com from 2003 to 2009, and now CEO of the on-demand identity and access management service, Okta. "This shift fundamentally requires them to rethink their IT infrastructure and how their employees access it," McKinnon added. "Okta," he continued, "is the only enterprise class, on-demand service purpose built to help customer secure and manage their entire cloud services network and the people who need access to it, with no professional services required."

Facebook, Google, and the Near-Term Future of the USA

Fri, 28 Jan 2011 08:45:00 EST

On the day when the Dow Jones Industrial Average topped 12,000 for the first time since June 2008, it was impossible not to correlate the eloquence and optimism of President Obama's "State of the Union" speech on Tuesday night with the restoration of a sense of perspective and hope in the USA about the future.

Book Review: JSF 2.0 Cookbook

Mon, 03 Jan 2011 16:15:00 EST

Last July, I was asked to review JSF 2.0 Cookbook by Anghel Leonard. I finally found time to finish reading the book and wrote a review. (If you are interested, back in April I reviewed another book from Packt Publishing: JSF 1.2 Components.) Chapter 1 – Using Standard and Custom Converters in JSF The chapter [...]

Hacking or Design Patterns?

Sun, 12 Dec 2010 19:08:00 EST

Earlier this year, in an interview for Oracle, I made a statement defending hacking. Yesterday, I found a thread on theserverside.com where java developers were sharing their view on the subject. In this blog I’ll take the same two quotes there ignited some arguments and will try to explain my point of view. 1. "Recently, I've been running a seminar for a small group of Java developers. Several times they've asked me, 'Is this code an example of MVC pattern?' I got the impression that implementing MVC had become an end in itself. Using Design Patterns is not a dogma. Just write the code that makes sense. Not everything that makes sense has a named design pattern."

Antivirus Add-On for IE Causing Load Time Problems

Fri, 03 Dec 2010 07:00:00 EST

So it seems that the Antivirus Add-On in Internet Explorer is causing a major impact in page load time. The AV Add-On needs to check all loaded JavaScript files for malicious code. In the example of Pedro and Frank they load jQuery, several jQuery plugins and some custom JS. This slows down their page load time as the browser cannot continue downloading additional content until the JavaScript files have been fully downloaded and executed.

Will Oracle Bid for HP?

Wed, 22 Sep 2010 11:00:00 EDT

"Larry Ellison is borderline bat-shit crazy on a good day," the analyst Rob Enderle is quoted as saying in a piece last week by Sam Gustin - a senior writer at DailyFinance, an AOL Finance & Money site. Enderle was prompted to utter this remark by speculation that perhaps the Oracle CEO is about to embark upon the acquisition of his life: of HP.

Textbooks or the Cloud?

Fri, 03 Sep 2010 08:15:00 EDT

A heavy book! What would you rather carry on your back — textbooks or lighter than air apps and data? When I went to school (six miles each way in the snow and rain, LOL), every year the books got heavier. Now, students can look forward to easy trips home with courses online — brought to them by the cloud. I recently read a commentary that said textbooks met the needs of 19th and 2oth century students, but that they fall short of the needs of today’s interactive students. “They are old-school delivery that supports old-school pedagogy,” the author stated. ” (OK, I must admit, I had to go to Wikipedia to find out what “pedagogy” means.)

Why Didn’t I Start Salesforce.com?

Sun, 29 Aug 2010 15:15:00 EDT

Between 1991 and 1994 I worked for the French company Rhône-Poulenc in its U.S. headquarters in Cranbury, New Jersey. Rhône-Poulenc is the biggest French company in the world and is owned by the French government. During those three years I designed, coded and delivered a state-of-the-art salesforce automation system for the company, with a support team of five. We spent roughly $2 million on hardware but the company saved an estimated $11 million in outside consulting fees. The best bid for the job would take roughly five years to complete and would have been inferior to what we developed. And it probably would never have made it out in five years anyway. With a five-year project, requirements change, and if the requirements remain the same then the people change. So a consulting company awarded such a contract gets paid but doesn't necessarily need to deliver the goods. The basic rule of a consulting business is to get the contract, you think about delivery later on. If you don't get the contract, you don't have a project to think about. My view of consultants is that most of them are like castrated bulls, all they can do is advice.

Open Letter to the President of Syria Bashar al-Assad

Thu, 29 Jul 2010 07:00:00 EDT

Mr. and Mrs. President Bashar al-Assad: At the tender age of 17 months my severely ill daughter Sofia, an American citizen, was abducted by her mother on Monday, July 26, in Istanbul, Turkey, and taken to Syria. I was informed yesterday by Sofia's mother that she will not be coming back to the United States nor will she allow Sofia to return home. Sofia has been diagnosed with a severe medical condition that requires immediate treatment in the United States. It was scheduled to start on July 27, 2010, in New Jersey, the day after her abduction and was supposed to last until she reaches the age of 3. Any delay in the urgently needed treatment will result in a life-long disability for Sofia and make her dependent for the whole of her adult life. The treatment is not available in Syria. Mr. President, I grew up in Turkey listening to the evening news during our family dinners where I used to hear your father Hafez al-Assad's name more often than the names of my own family together with Menachem Begin, Golda Meir, Anwar Sadat, and Yasser Arafat. I plead with you on behalf of my daughter Sofia to learn of her whereabouts and see her safely and speedily returned home. I also respectfully request a visa to Syria to meet her at the United States Embassy in Damascus to bring her home. Mrs. President, parents around the world have only the Hague Convention to rely on in international child abduction cases. I urge your humanitarian consideration, as the mother of a precious child, to fight for Syria to be a part of the Hague Convention. Thank you in advance.

Amazon’s Push for the Enterprise

Tue, 27 Jul 2010 08:45:00 EDT

This also seems to be a natural adjacent market for Amazon (the IaaS company – not the online retailer). If they already successfully host web startups and are the most well-known compute platform for tasks such video transcoding or text recognition – why not use that same expertise and infrastructure to sell it to enterprises? Enterprise IT is a huge market with great margins, and as corporate CIOs are looking for ways to use the cloud to cut costs and/or become more agile – Amazon has the brand recognition to be their number one choice. This seems to be a high priority effort for the company considering that they have their CTO attending and delivering his keynote at events like the one in LA. And it should be if Amazon does not want to be squeezed between enterprise vendors like Microsoft and VMware getting the higher margin enterprise cloud segment, while initiatives like OpenStack commoditizing lower end cloud compute services.

The Dichotomy of AJAX and RESTful API's

Wed, 30 Jun 2010 23:03:00 EDT

Had an interesting conversation the other day with Adam, our lead interface developer at Enomaly. He's been our key AJAX and API developer on the Enomaly ECP platform for several years. During our random afternoon chat he basically said that AJAX is quite possibly the worst way to consume a RESTful API. He pointed out the purpose of a RESTful approach to API development & implementation is in its similarities to HTTP and more generally uri/urls -- each of which is easily viewable both programmatic as well as visually. The problem is AJAX is kind of the opposite. Most of the things that make the web great, such as urls, hyperlinks and bookmarking are not easily done or seen in a AJAX application. All the benefits to a RESTful architecture are hidden by the AJAX itself making development longer, more difficult to debug and often harder to scale.

Adobe Should Cut Its iPhone Losses and Switch Focus

Tue, 29 Jun 2010 09:11:00 EDT

Adobe should cut its losses with Apple and target its flagship Flash Player at telecoms carriers, independent analyst Ovum has claimed in a new report*. With the spat over Apple's refusal to support the Adobe Flash technology on its iPhone, iPad and iPod Touch devices continuing to generate column inches, Ovum believes it is time for Adobe to turn the tables by courting new sponsors of its technology in the shape of telecoms operators. The report states that Adobe and telecoms carriers are faced with similar threats and share similar goals in relation to value-added applications and content, and that carriers should therefore seek an industry-wide partnership with Adobe to use Flash as the basis of their own multi-screen device, development, delivery, and distribution systems.

RichFaces 4 Alpha 2 Is Now Available, Project Template

Mon, 21 Jun 2010 14:56:00 EDT

The RichFaces team has made a major step toward RichFaces 4 by releasing Alpha 2 version. I'm hoping to see GA in September. Keep in mind that not all components have been migrated to version 4 yet. The components that are available right now are listed below. Some highlights in RichFaces 4 Alpha 2[...]

Using RichFaces a4j:jsFunction Send an Ajax Request From Any JavaScript

Thu, 03 Jun 2010 19:42:00 EDT

There are four components in the a4j: tag library which enable you to send an Ajax request. They are a4j:commandButton, a4j:commandLink, a4j:support, and a4j:poll. All provide rather specific functionality. For example, a4j:commandButton will generate an HTML button that fires an Ajax request. a4j;commandLink will do the same but generates a link. a4j:support is always attached to another JSF component to enable sending an Ajax request based on some event supported by the parent component. a4j:poll which allows sending Ajax requests periodically. There is one more tag called a4j:jsFunction. This tags gives you a lot of power and flexibility. a4j:jsFunction lets you send an Ajax request from any user-defined JavaScript function. It can be a custom function or from any component-event as well. The good news is that it works just like any other tags I listed above, it has all the same attributes such as reRender, action, actionListener, bypassUpdates, ajaxSingle and so on.

Ariba Delivers On-demand Contract Management for SMBs

Tue, 18 May 2010 12:23:00 EDT

Effective contract management is a “critical lever” that companies can pull to find contract information, optimize profits, and identify risks and opportunities quickly. Ariba, the spend and procurement management solutions provider, hopes small- to mid-sized businesses will take their enthusiasm for cloud computing to the business processes around contract management. Ariba’s latest solution, StartContracts, works to do just that. An on-demand solution, StartContracts combines technology and best practice processes to help organizations manage buy and sell side agreements with greater speed and lower costs. The solution also promises to mitigate risk, drive compliance and increase revenue, says Ariba. [Disclosure: Ariba is a sponsor of BriefingsDirect podcasts.]

Enterprise Mashups – Recovering Value from SOA Investments

Sun, 02 May 2010 18:37:00 EDT

The article is the first in a series of articles elaborating the concept of utilizing enterprise mashups to recover value from SOA investments. The article series elaborates on the conceptual architecture model for mashups and the inevitable trade-off between power and flexibility versus simplicity and usability. Maloy Patnaik

Learning JSF2: AJAX in JSF

Mon, 12 Apr 2010 20:02:00 EDT

As you probably know JSF 2 is a major upgrade over JSF 1.2. One of the major additions to this version of JSF is standard Ajax support. This article covers Ajax features in JSF 2. If you are familiar with RichFaces and specifically the a4j:support tag then learning how to use Ajax features in JSF 2 is going to be very easy. Many concepts and features are being carried over from RichFaces. Let’s start. JSF 2 comes with one tag that provides Ajax functionality. The tag is called f:ajax (sounds familiar to a4j:support – right?) When I do RichFaces trainings, I like to divide the core ideas into three parts: sending an Ajax request, partial view rendering and partial view processing. I will use the same approach here.

An iPad Hack That Saves $39

Mon, 05 Apr 2010 19:00:00 EDT

I got it yesterday at 5PM. The Apple store at the nearby mall was crowded, but at the end of day there were more people in blue shorts (I was told that there were a 100 of them) than customers. The salesman immediately showed me a shelf with nice looking iPad jackets-turn-into-ipad-stand for only $39.

Needless to say that many people left broke after shelling out five or six hundred bucks for something they unconditionally loved for a least two months without knowing what for. I didn't buy that $39-thingy. My son David immediately found a decent replacement for it.

If you're broke but have 2 min to watch (if you don't have money, you'd better have some time), here's a short instructional video.

The Secret of Saatchi & Saatchi's CEO: The Personal Approach

Wed, 31 Mar 2010 09:15:00 EDT

"From my first day at Saatchi & Saatchi," explains Bob Seelert, chairman of Saatchi & Saatchi, "I met with as many people as I possibly could. There is no substitute for a personal presence, I went to four companies in London and then got on a Concorde and did the same in New York before meeting with the Chairman of our biggest client, Proctor & Gamble". Seelert, chairman of Saatchi & Saatchi, speaks candidly for MeetTheBoss.TV on how he was intent on taking the helm of what was a sinking ship and steering it into a course of thirteen years of concessive growth. What is his secret? The personal approach!

L’Europe face aux défis des infrastructures Cloud Computing

Tue, 30 Mar 2010 17:45:00 EDT

La décennie 2010 - 2020 sera celle du Cloud Computing ; c’est un message que je répète sur ce blog depuis longtemps et il est maintenant bien accepté par tous les fournisseurs, y compris les «historiques», par la grande majorité des responsables informatiques. Les deux composantes techniques majeures de cette révolution Cloud Computing sont les infrastructures et les usages, en mode SaaS, Software as a Service. Pour ces deux composantes, les conditions de la réussite sont très différentes.

CIOs Beware: Citizen Developers Are on the Loose

Mon, 29 Mar 2010 17:45:00 EDT

Gartner this week released a report entitled "Citizen Developers are Poised to Grow." The report by Gartner Analyst Eric Knipp describes how forces like more computer literate employees, cloud computing and better tools are fundamentally changing the role of IT. Eric paints a vision that in one stroke could eliminate the feared IT backlog: "Citizen developers leverage shared services and 4GL-style development platforms, releasing IT resources to do what they do best, if IT leaders allow it." Gartner argues that CIOs should enable business analysts to build "self-service" applications that can be managed centrally by IT. This puts IT in the role of providing a secure infrastructure while enabling business developers to implement business processes using 4GL-like tools.

Silverlight 4 + RIA: Exposing WCF (SOAP\WSDL) Services

Mon, 29 Mar 2010 12:31:00 EDT

I wanted to touch on how a RIA Services can be exposed as a Soap\WSDL service. This is very useful if you want to enable the exact same business logic\data access logic is available to clients other than Silverlight. For example to a WinForms application or WPF or even a console application. SOAP is a particularly good model for interop with the Java\JEE world as well. First you need to add a reference to Microsoft.ServiceModel.DomainSerivves.Hosting.EndPoints assembly from the RIA Services toolkit.