Live from TSSJS – Web Frameworks with Matt

Live blogging from TheServerSide Java Symposium again, this time with Matt Raible, who is giving a presentation entitled “Comparing JVM Web Frameworks”.  He began his talk taking feedback from the audience on what frameworks people are using, with one humerous dialogue that proceeded as follows:

“How many people are using Struts 1?”.
One gentleman raises his hand.
“Poor bastard.  Are you using Struts with WebSphere?”
The gentleman nodded.
“Why haven’t you quit your job yet?”

1.  Web Frameworks – Too many?
In the non-Java market, jQuery has risen to the top but this hasn’t happened in the Java world.  Some people have criticized Java as having too many frameworks to choose from.

Matt is personally very much against Struts 1, as well as JSF.  He talks about how the founder of both, Craig McClanahan has essentially ditched Struts/JSF for Rails in around 2007.  He also quotes James Gosling as saying he hates JSF with a link to the YouTube video, although indicates he may have been referring to JSP.

2. Choosing a framework
Matt often talks about being asked which framework to use.  He has constructed a list of 20 criteria to determine which framework to use such as:

  1. Developer Productivity
  2. Developer Perception
  3. Learning Curve – Should be able to learn in under a week
  4. Project Health
  5. Developer Availability – Will you be able to find developers to hire who know the material?
  6. Job Trends
  7. Templating
  8. Components
  9. Ajax
  10. Plugins or Add-Ons
  11. Scalability
  12. Testing Support
  13. i18n and testing
  14. Validation
  15. Multi-language Support
  16. Quality of Documentation/Tutorials
  17. Books Published
  18. REST Support (client and server)
  19. Mobile / iPhone Support
  20. Degree of Risk

Matt reviewed a number of platforms and posted the resulting matrix online.  The top 5 ones based on these scores are Grails, Tapestry, Lift, Spring, and Struts2.  Often the 5, 6, and 7 providers change every few months.

3.  Business Decisions
Often companies hire consultants to reinforce web framework decisions that they have already made.  A lot of companies have a proprietary web framework that can be successful for their product.

4.  Controversary
Matt has been criticized for his scoring by members of the community.  He has posted a detailed explanation of how he calculated these ratings online.  As a well-read GWT developer, I disagree with some of his scores for GWT, especially templating which only scored a 0.5.

5. Matt’s favorite web frameworks

  1. Grails and Groovy:  Eeasy transition for Java developers.  It is also a gateway to Groovy.  He mentions some companies and developers resist Groovy because it is targeted only for Java developers and there isn’t a high availability of jobs.
  2. GWT:Great for Java developers who hate JavaScript.  The community is open and Google has done a good job growing a vibrant developer base.  The down sides, though, are that it is slow to test and requires Java knowledge to use.
  3. Ruby on Rails: Good for web developers, rather than hard-core Java developers.  The community is excellent.  The down sides is performance, testing, and type safety are limited.
  4. Spring MVC:  Easy configuration and usage
  5. VAADIN:  Excellent theme and layout support.  Uses the GWT API for developing view.
  6. WICKET:  Great for Java Developers.  Active community with creators providing a lot of support.  One downside is very little jobs available for WICKET developers.

Active Mailing Lists
One good measure of the health of a web framework is the number of developers asking questions and involved in the community, such as mailing lists and forum websites.  Some frameworks have hundreds of questions posted a month while others have 1-2 and are clearly not being used much.

Conclusion
Matt finished asking the question “What if there is no ‘best’ web framework?”, to which he spent time presenting competing argument about how people ‘shop’ for frameworks.  He compared shopping for frameworks with shopping for food and discussed an article with a researcher who did trending for how people choose food products.  “When we pursue universal principles in food, aka web services, we are doing ourselves a massive disservice”.  In other words, pick the frameworks that work for you, not neccesssarily the “best” framework.

Matt gave one of the best presentations I’ve attended at TheServerSide Java Symposium, and covered a large variety of web frameworks, while demonstrating expertise in each.  As a fellow consultant, I appreciate that he emphasized how quickly it is to pick up these frameworks as well as how easy it is to find a job with these skills.  At one point, he was one of only 3 active GWT developers in the Denver area and would get a call anytime there was a GWT job available.

Side note:  Matt recommends all Java developers learn about and know JRebel given its power, saying if you take away only one thing from this presentation it is that you should know JRebel.

Live from TSS-JS – Mobile Development with Mark

Currently attending “Comparing, Contrasting, and Differentiating Between Mobile Platforms” by Mark Spritzler, a fellow CodeRanch moderator.  The presentation is in part an open discussion with the audience of what people have tried and works well in the Mobile environment.

1.  What is out there?

  • Android OS (Java)
  • Apple iOS for iPhone/iPod/iPad
  • Web applications with custom UI for mobile applications.  CodeRanch currently offers a mobile web version of the website
  • J2ME (not common)
  • BlackBerry (custom Java)
  • SymbianOS (C)

2.  Android OS Review
Built by Google and uses Java and can run Flash.  UI built with declarative UIs using XML primarily and supports visual tools such as Droid Draw and/or Interface Builder.  MVC-like architecture with view as XML, and control/model as Java classes.  The API is quite open so there’s a lot of ability to customize for developers.

There is currently a large variety of Android devices so splintering of the code base could be in the future.  Some devices cannot upgrade the Android OS, leading to permanent branching of code base.

Also, Android requires a lot of manual work to integrate with a database, such as SQL Lite, whereas Apple iOS has this built in.

3.  Apple iOS Review
Built by Apple and uses Objective-C, and cannot run Flash.  Developers must manage memory manually.  The API is completely proprietary and there are limit tools for developers.  For example, the developer must have a Mac and use an xCode.  Closed APIs but Apple promises stability (although it did change in iPad with split/view feature).

Dicussion on Apple’s strigent application approval process followed.  One participant commented that they waited 1-2 months for Apple to approve it.  Apple has also stopped approving ‘pointless’ apps.  I asked Mark if he thinks the delays are worth the improvement in quality, to which he replied that it does lead to better applications.  He also informed the audience that Apple wants you to use certain visual controls in particular manners to help build a consistent UI, and may reject applications based on improper usage.  Apple sometimes comments on why applications are rejected but not always.

4.  J2ME Failure Review
Idea was to develop using Java and runs on a variety of devices.  One of the major problems is Sun certified J2ME mobile phones that didn’t properly or fully implement the spec.  Also, lead to splintering of code base and very inconsistent results across devices.

5.  Native vs Web applications
Web applications have greater reach since they can run on many devices, but have weaker performance and require the developer to self-promote them.

6.  App Generating Frameworks
Build mobile applications from predefined templates using a CMS system often entered in a web browser, such as MobileRoadie, but it is a paid service.  Builder frameworks (often open source) that generate mobile applications based on existing code including Appcelector, Rhomobile, PhoneGap.

Write once and run on many devices through generation.  They may have limited functionality since they use a subset of features available in the language.  Multi-touch is also very limited in Android over iOS.  HTML5 does support location-aware so it can help in application generation.

Conclusion
Mark ended the presentation with an open discussion asking people to share their own mobile development experience.  He pointed out that there a lot of pros and cons to using different mobile platforms and mobile devices, and you should consider the resources on hand when deciding how to proceed in development.

GET vs POST and URL security

Is GET or POST more secure?  Like many things in computers, it depends!

Who are you trying to secure data against?

  1. The user in his/her browser
  2. People who legitimately see the URL
  3. Hackers

The user in his/her browser
This is the case that is usually discussed.   Some people will naively say they want to “secure” the data by using POST.  That way the user “can’t change the submitted data.”  Of course, this hooey.  Anything on the user’s machine is something the user can see/change.

People who legitimately see the URL
Many people have access to the URL such as in logs.  Having sensitive information in the URLs is a bad idea.  This actually happened recently at JavaRanch.  A user started a thread inquiring about a thread that linked to his but he couldn’t see the protected page.   At JavaRanch, as on many blogs, URLs look like “http://www.coderanch.com/t/493907/Ranch-Office/Could-anyone-enlighten-me-please”.  Luckily we had taken a precaution and used a shorter form of the URL for our private forum.  Otherwise information could leak out!

Similarly, social security numbers and other sensitive information should not be in a GET form submission because the information is then out of your control.  If at all possible, they should be kept on the server and never sent to the user’s machine in the first place.

Hackers
Hackers are a harder case because the hacking can be in multiple places.  For truly secure information, you have to use HTTPS.  For “medium” information, POST is still better than GET because URLs are easier to intercept than whole pages.

Conclusion

As a rule of thumb, POST is going to always be more secure than GET because it removes the “data in the URL” issue.  For some things, neither is secure enough.