People are the platform

jQuery Mobile Events Diagram

2011-12-10T12:50:00.003-06:00

When building jQuery Mobile applications I often find it useful to have a quick reference to all events within the lifecycle. This jQuery Mobile events diagram should be helpful for new developers learning the jQuery Mobile event model or advanced developers that often bind to these events:

This diagram is also available within Pro jQuery Mobile. In addition to the diagram, you will also find detailed examples and descriptions for each event. Enjoy!

Titanium MVC Pattern

2011-05-21T13:26:00.002-05:00

Are you looking to simplify your Titanium programming model? Leveraging the MVC pattern will help produce cleaner code and promote reusability. Applying the MVC pattern within Titanium is relatively easy and it provides all the advantages we expect from MVC. Here is a quick example of the view and controller components:

View

The view is responsible for creating the window and adding the necessary UI components. Your views may optionally manage styling properties (color, font, and positioning). Ideally, the better practice is to extract all styling properties into external JSS files but I found this feature to be too quirky in its initial release.


/**
 * View Template
 * Usage: APP.ui.LoginView.createWindow();
 */
APP.ui.LoginView = (function(){

    /* private methods to build UI specific components */
    function buildWindow(){
        return Ti.UI.createWindow({
             title: 'Title',
             barColor: '#225377',
             backgroundColor: '#d4d2d3'
        });
    }

    function buildUsernameTextField(win){
        win.usernameTextField = Ti.UI.createTextField({
            autocorrect: false,
            hintText: 'Username',
            left: 10,
            width: 285,
            suppressReturn:false,
            autocapitalization: Ti.UI.TEXT_AUTOCAPITALIZATION_NONE,
            clearButtonMode: Ti.UI.INPUT_BUTTONMODE_ONFOCUS,
            borderStyle: Ti.UI.INPUT_BORDERSTYLE_NONE,
            returnKeyType: Ti.UI.RETURNKEY_NEXT
        });
     }

     /* Public API only exposes the createWindow method. */
     return {
         createWindow: function(){
             var win = buildWindow();
             buildUsernameTextField(win);
             //buildComponentX(win);
             return win;
         }
     };
})();

Controller

The controller is responsible for managing events (button taps) and navigation. Events handlers communicate with server-side services when necessary.

/**
 * Controller Template
 * Usage: APP.ui.LoginController.init();
 */
APP.ui.LoginController = (function(){

     /* Private helper methods */
     function setEventListeners(win){
         win.usernameTextField.addEventListener('return', function(){
             win.passwordTextField.focus();
         });
        
         win.passwordTextField.addEventListener('return', function(){
            handleLoginEvent(win);
         });
     }

     /* Public API only exposes init method. */  
     return {
         init: function(){
             var win = APP.ui.LoginView.createWindow();
             setEventListeners(win);
             win.open();
         }
     };
})();

Model

The model is typically a JSON payload retrieved from a Restful service. For example, the handleLoginEvent will return user profile information after a successful login. We can save this object locally and leverage it on subsequent screens.

Advantages:

Small objects and methods.
Improved organization and readability
Promotes reusability of views. Also, the decoupled views allow you to swap in native-specific UIs when necessary all while reusing a single controller.
Simpler maintenance.
Allows for simpler unit testing with responsibilities split into separate objects.

I expect many developers may fall in the trap of modeling their JavaScript according to the KitchenSink examples. While those examples are useful, their programming practices should not be followed for a production ready app. For example, their examples do not leverage closure to eliminate global scope, they do not use a namespace convention for improved organization, and all MVC responsibilities were bundled within a single object.

Mobile March

2011-03-20T09:04:00.000-05:00

The Mobile March conference was held at the Best Buy headquarters this weekend. Here is a brief recap of the sessions I attended:

Keynote

Key points:

There is a low tolerance for mediocrity in mobile. Apps have a 50% abandon rate after the first 30 days.
Mobile trends: News via tablets, social media, location based apps, group messaging with apps like Beluga.
Mobile marketing, what's working: Incentives, deals, hot buys, and rebates.
5 things to consider: Activate advertising with text or QR codes, activate sponsorships with mobile, launch mobile coupons, test a location based campaign, use mobile to drive app downloads.

Simple and low cost mobile technologies have proven to be very effective solutions. SMS, QR codes, and social media fall within this category. The goal is simple, get customers to engage and then extend the conversation.

Cracking the Code: QR Codes and Coupons

Key points:

QR code scanning is up 1000% in the last 6 months. Consumers love to scan QR barcodes.
QR codes link users to additional information. For example, Best Buy has QR codes next to each price tag. Launching the QR code provides the user with detailed information and user reviews. Additionally, if you scan another product you can see a side-by-side comparison of both products.
Looking for a QR reader? Try NeoReader.
Chino Latino is the first restaurant to put a QR code on a billboard.

Mobile March had QR codes at the entrance of each session. Scanning the code displayed the presenters bio. Again, this is a simple, low cost solution to interact with mobile customers.

The iPhone vs Android Showdown

Key points:

iPhone

Xcode 4, which was released a few weeks ago, has finally simplified the organization of their Interface Builder and code editor. Navigating between Interface Builder and code is much quicker via their new tab orientation instead of externalized windows found in Xcode 3.
Xcode is the superior IDE when compared to Android development on Eclipse. The Interface Builder is far superior and the iPhone emulator loads much faster.

Android

Android's distribution model is superior. It takes several hours to deploy to Android's Market. The Apple Store certification process may take up to 2 weeks.

Creating a mobile wireframe is easily 2-3 times faster in Xcode. While Android finally released a UI builder with their 3.0 SDK it is far from perfect. A major Android advantage is their time to market on app upgrades. If you have a production defect will you have the patience to wait for the Apple certification process?

Grill yourself

Key points:

Think about UX as soon as you have an idea.
Keep apps simple and moving parts to a minimum.
You can sell anything if you can do it simple, quick, and cheap.
Share the analytics about your mobile users with your organization.

The Current State of the Mobile Web

Key points:

Native advantages: performance, consistency, safety, convenience, functionality.
Native disadvantages: harder to build, approval process, hard to discover, fragmentation.
Mobile Web advantages: open, connected, ubiquitous, unregulated.
Mobile Web disadvantages: unregulated, performance is slower.
Mozilla and Google are coming out with web app stores soon.
Looking for a fixed header and footer for your scrollable window on iOS? Try iScroll.

There are clearly many advantages to Mobile Web. Its deployment model is instantaneous and it helps reduce fragmentation and development costs. If you are interested in jQuery Mobile, here is a good presentation.

Blackberry Playbook

Key points:

Cost of entry

BlackBerry: Free
Android: $25 (one time)
Apple: $99/yr

Distribution

Google: lass than hour
BlackBerry: 4-6 hours
Apple: up to 2 weeks

BlackBerry has a "try before you buy" program in their AppWorld store which is unique.

The Playbook tablet by BlackBerry will be released soon. While competition is good, they definitely have an uphill battle to climb.

No Fluff Just Stuff: Minneapolis Summary (Spring)

2011-03-06T07:34:00.008-06:00

The No Fluff Just Stuff conference was back in Minneapolis. Here is a brief recap of the sessions I attended:

NoSQL Smackdown!

Key points:

NoSQL is a set of different approaches to storing and retrieving data
Cassandra:

Implementation Language: Java 6
Data Model: BigTable
Advantages: Highly scaleable
Deployments: facebook, twitter

MongoDB:

Implementation Language: C++
Data Model: JSON
Advantages: Simple
Deployments: sourceforge, bit.ly, shutterfly, Etsy

I like the fact MongoDB persists JSON. I implemented a similar solution on a recent mobile application where JSON objects were persisted on the client database. This solution is simple, requires minimal code, and provides great flexibility. If the domain model changes the database requires ZERO changes!

Pragmatic Architecture

Key points:

Architects will be much more effective if they have a solid understanding of the business domain.
A good architecture makes it easy for developers to make "right" decisions.
Avoid architectures that were designed with Resume Driven Design (RDD).
Architects must be familiar with all technologies.
Prefer full-time architects or architects that at least see the consequences of their design after deploying to production.

Over the past twelve years I have observed that the most effective architects code at least 49%. The more the better. If this isn't the case they simply won't be effective long term. The best architects produce working code in addition to their design artifacts.

Introducing Spring Roo: From Zero to Working Spring Application in Record Time

Key points:

The rapid scaffolding is intriguing.
The de-Rooing is convenient when you need to remove the Roo footprint.
I particularly like the ability to replay your commands for project setup. Extract the Roo scripts and replaying them for the next project can offer rapid productivity.

Roo makes sense for rapid prototyping or if you need to build an application in 24-hours.

HTML5: The JavaScript Parts

Key points:

Prefer document.querySelector() over document.getElementById() for much improved performance gains.
By default, navigator.geolocation is not enabled in Chrome. The user must explicitly enable it.
Modernizr can help with progressive enhancement by detecting browser feature availability and reacting appropriately.
Web Workers are not supported on mobile browsers:(
When can I use... shows feature compatibility by browser.
findmebyIP shows feature support for your current browser.

I predict a strong enterprise push for mobile web development starting this year. Mobile Web is device agnostic and jQuery Mobile will simplify the adoption. Even facebook has admitted to the pain, duplication, and cost of supporting five separate native apps.

Developing Social-Ready Web Applications

Key points:

Enable twitter integration with @Anywhere
Dynamically search for tweets from twitter's restful API: http://search.twitter.com/search.json?q=nfjs
Dynamically find the friends of a twitter user: http://api.twitter.com/1/friends/ids.json?screen_name=<username>
Enable facebook integration with their Social Plugins
Dynamically retrieve the user info for a facebook user: https://graph.facebook.com/<username>
LinkedIn's developer widgets

The greatest benefit of Spring Social is its simplification of SSO integration.

Git Going with Distributed Version Control

Key points:

Git is 10-100 times faster than Subversion.
Git can bisect bugs or find the commit that broke a test.
Git can search (grep) the entire revision history without checkouts. For example, I can find a particular commit where a line was added.
Git persists the versioned artifacts to the file system as 40 character hashes. This approach is very lightweight and provides extremely fast compares.
Unlike Subversion, Git does not pollute the source directories with version control meta data.

I have been working with Git for several weeks. Matthew's DZone Refcard about Git has also been a very valuable resource. Git was my favorite session so far!

jQuery: Ajax Made Easy

Key points:

jQuery has a small footprint, the code is clean, it has good documentation, has excellent CSS selector support, and it's the most popular.
If you only need the CSS selector support it's available in Sizzle.

If you want read well written JavaScript it is worth your time to checkout jQuery's source code.

Going Mobile with jQuery

Key points:

50% of population will have smartphone by the end of 2011
Tablet support is now available
Favorite quote: "Using an iPhone during a meeting makes you look like a proactive employee." --Nathaniel Schutta

I have been working with jQuery Mobile for several months now and it is a simple framework. The team is extremely eager to support nearly every device. After spending time learning Git, I am finally setup to help contribute to the project. Now I need to find the time to focus on a task, defect, or test! In addition to jQuery Mobile there are also mobile web frameworks available from YUI, jQTouch, and Jo.

Code Craft

Key points:

We need to spend more time reading code.
There is nothing wrong with simplicity! Simple code == good
If you are having difficulties with code reviews try Crucible.

Mobile GUI Frameworks

Key points:

jQTouch is the smoothest mobile web framework on the market today. However, only iOS is able to reap many of these benefits.
Jo is a new mobile framework I definitely want to look at closer. It's lighter weight than jQuery Mobile and the end user codes primarily in JavaScript whereas jQuery Mobile is more markup driven.

Agile Strategy for 24-hour Coders Challenge

2011-02-14T17:24:00.004-06:00

135px;" src="http://4.bp.blogspot.com/-Ca53h6Q6ecU/TVNO8zsXnzI/AAAAAAAAAHc/FkL1jAnswNQ/s400/R_C_Wall_Clock.jpg" border="0" alt="clock" id="BLOGGER_PHOTO_ID_5571883970562858802" />

Can we build an app in twenty-four hours? We definitely can with the right planning and tools. The Nerdery is organizing an overnight website challenge in the Twin Cities where teams compete to build the best Web application within twenty-four hours. I have always watched these competitions on TV but never with software developers! What is the ideal strategy for this competition?

Agile Planning Strategy

Pre-competition planning is the most important step to success. Literally, every detail must be planned prior to competition. This will yield great efficiencies during the competition. Pre-competition planning considerations must include:

Technology stack: Java, Grails, Rails, PHP
Tool suite: IDE, graphic editors
Source repository: GIT, shared local repository
Hosting platform: Google App Engine (GAE), local environment
Identify roles: developer, designer, QA, manager, presenter
Database: relational, NoSQL (GAE)
Scaffolding for rapid application development (RAD):
- Java: Spring Roo
- Groovy: Grails
- Ruby: Rails
- PHP: phpScaffold
Requirements gathering techniques: wireframes, use cases
Task management: whiteboard, electronic
Pre-designed templates for common functionality: Home page, dashboards, login, reports

Multiple Platform Strategy

When I initially saw the 10 member team size I knew that could lead to inefficiencies. Often a team of 3-6 is an ideal size. To remedy this issue why not split the team into two smaller sub-groups? Have one group focus on a desktop Web solution and the other on a mobile Web solution. I see two huge advantages of this strategy. First, it should help eliminate critical paths. Again, with ten team members I see too many members waiting idle for others to complete dependent tasks. And most importantly, this strategy should help deliver that extra punch to help wow the judges.

Execution Strategy

Prior to the competition, every developer and designer must have a fully integrated development environment. Everyones environment must build a template project, sync to the repository, and deploy to the production-ready hosting environment. Once competition begins the focus must be solely about requirements gathering, task definition, prioritization, and efficient implementation.

Kudos

I wanted to thank the Nerdery for hosting such a unique event in the Twin Cities! This is 100% voluntary and the solutions are built for non-profits!

JavaScript Performance: Creational Patterns

2011-01-16T15:34:00.001-06:00

Which JavaScript creational pattern is the most efficient? Is it an object literal, functional, or pseudoclassical object? With JsTestDriver, I setup a quick performance test to gather the metrics.

Creational Patterns to Test

I tested the three most popular creational patterns in JavaScript. Object literals, functional objects, and pseudoclassical objects. In particular, I wanted to test their singleton and instance based execution times.

/*
 * Pseudoclassical object designed as a singleton
 */
var PseudoclassicalSingleton = new function(){
    this.getName = function(){
        return 'Pseudoclassical';
    };
};

/*
 * Functional object designed as a singleton
 */
var FunctionalSingleton = (function(){
    return {
        getName: function(){
            return 'Functional';
        }
    };
})();

/*
 * Object literal (implicitly singleton)
 */
var ObjectLiteralSingleton = {
    getName: function(){
        return 'ObjectLiteral';
    }
};

/*
 * Pseudoclassical object designed as a non-singleton
 */
var PseudoclassicalInstance = function(){
    this.getName = function(){
        return 'Pseudoclassical';
    };
};

/*
 * Functional object designed as a non-singleton
 */
var FunctionalInstance = function(){
    return {
        getName: function(){
            return 'Functional';
        }
    };
};

Performance Test Runner

I setup JsTestDriver to execute the test cases against Firefox. One advantage of JsTestDriver is I can run my test cases against any browser! Each performance test will instantiate its creational pattern 1.4 million times as indicated by the RUN_TIMES constant. Additionally, I ran the performance test suite twenty times to gather an adequate average.

CreationalPatternsPerformanceTest = TestCase("CreationalPatternsPerformanceTest");

var RUN_TIMES = 1400000; 

var performanceTest = function(name, f){
    console.time(name);
    for (var i = 0; i < RUN_TIMES; i++){
        f();
    }
    console.timeEnd(name);
};

CreationalPatternsPerformanceTest.prototype.testResponseTimes = function(){
    performanceTest("ObjectLiteral (singleton)", function(){ 
        ObjectLiteralSingleton.getName(); 
    });
    performanceTest("Pseudoclassical (singleton)", function(){ 
        PseudoclassicalSingleton.getName(); 
    });
    performanceTest("Functional (singleton)", function(){ 
        FunctionalSingleton.getName(); 
    });
    performanceTest("Pseudoclassical (instance)", function(){ 
        new PseudoclassicalInstance().getName(); 
    });
    performanceTest("Functional (instance)", function(){ 
        FunctionalInstance().getName(); 
    });
};

**Performance Test Results**
	Object Literal (singleton)	Pseudoclassical (singleton)	Functional (singleton)	Pseudoclassical (instance)	Functional (instance)
Avg (ms)	1093	1095	1094	3301	3341
Min (ms)	1070	1064	1062	3225	3246
Max (ms)	1112	1114	1113	3460	3476

Areas of Interest

I had three specific comparisons I wanted to evaluate heading into this experiment:

Object literals vs the others (functional and pseudoclassical): I knew object literals were going to be the most efficient. However, I really wanted to see how much faster they really are. The result was surprising. Object literals (1093 ms) barely out performed functional (1094 ms) and pseudoclassical (1095 ms) response times. This difference is really negligible. Unlike object literals, functional and pseudoclassical objects can provide security. And the performance degradation is almost non-existent.
Functional vs Pseudoclassical: There are always debates over these two objects. While I personally prefer pseudoclassical objects when security is a concern I definitely wanted to see which one was the more performant option. In the end, neither pattern distanced itself from the other in regards to performance.
Singletons vs Instance based Objects: I knew singletons would be the most efficient. However, I wanted to see what this difference really was. On average, singletons were three times faster.

Lessons Learned

Prefer singletons over instance based objects when possible.
Prefer object literals when you are not concerned about privacy.
The performance metrics alone are not enough to sway the functional vs pseudoclassical debate.

JavaScript: Securing Pseudoclassical Objects

2011-01-02T18:46:00.000-06:00

Which JavaScript pattern do you prefer for object creation? Functional or pseudoclassical? This question makes for a very interesting debate. The first time I read JavaScript: The Good Parts I was sold on the functional pattern based upon the knowledge that it was the only pattern that supported privacy. However, the pseudoclassical pattern can be secured! Based upon the fact that pseudoclassical objects can be secured and its many additional advantages make it the ideal choice for object creation.

Securing Pseudoclassical Objects

/**
 * Pseudoclassical object with private variables and functions.
 *
 * @constructor 
 * @param {string} name
 * @param {number} age
 */
var Person = function(name, age) {
 
     /** @public variable */
     this.name = name || 'Brad';
 
     /** @private variable */
     var age = age || 34; 
 
 
     /** @private function */
     function setAge(a) { 
         age = a;
     }

     /** @public function with access to private methods and variables (privileged) */
     this.getAge = function () {
         return age;
     };
};

Why is Everything Public?

Security is not often documented within JavaScript books and I rarely see examples where developers secure their JavaScript objects. Typically, everything is exposed publicly. If you develop mobile applications with Titanium or are developing a JavaScript framework you absolutely must apply security with either the functional or pseudoclassical pattern. And of all the Titanium code I have read over the past month not a single example or sample application was concerned about privacy. Training can remedy this problem.

JavaScript Code Completion

A simple way to quickly view the publicly available methods of an object is with code completion. For example, the Aptana Eclipse plug-in has code completion built-in and works very well for JavaScript development.

Becoming a MacBook Pro Ninja

2010-11-29T18:29:00.003-06:00

175px;" src="http://2.bp.blogspot.com/_mO_Jjc1RwAQ/TO8Wx915udI/AAAAAAAAAHE/viMw3vLJyFM/s400/mac-book-pro1.jpg" border="0" alt="mac book pro" />I have always been the PC guy in those funny Mac
commercials. I knew very little about Macs a month ago. In fact, I had to consult the owners manual to find the seamlessly integrated power button on the shiny new Mac Book Pro! I didn't feel too bad, I challenged another PC guy to find it and they failed too:) Being a novice at anything can be extremely frustrating. As a novice I set a simple goal. Learn everything about this all-aluminum, uni body machine. After reading MacBook Pro Portable Genius, a few magazines, and many online tips I finally feel very comfortable in the drivers seat. Here is a very brief recap of what I discovered on my journey.

Favorite Features

Trackpad gestures:
The trackpad is unquestionably the most powerful feature you will find on any laptop and it is exclusive to MacBooks. Who needs a mouse? I am more efficient with the trackpad! Enable "tap to click" for even greater efficiency gains.
Expose:
Expose is also totally unique to Macs and offers a convenient layout for switching between open windows. Additionally, Application Switcher and Spaces (also unique) each offer efficient capabilities for navigating your workspace. These features will definitely make you more efficient while multitasking.
Security:
The security settings are powerful and simple to setup. The settings include: account management, password enforcement, data encryption, firewall protection, secure notes, SSO capabilities, and parental controls. Each can be configured within Settings or Key Chain.

Top Four Things To Customize When Setting Up

Enable Firewall:
If you access public WIFI, setting up your firewall is a must. WIFI is the most vulnerable network you can access. Configure your settings to be most restrictive (block all incoming connections) and adjust as necessary if you need to allow network or web sharing.
Require Passwords:
Most users disable passwords on personal devices for convenience. I will always opt for security.
Enable File Vault Encryption:
This encrypts the entire home directory. I searched for benchmark studies and they only revealed minor performance degradation. If my laptop ends up in the wrong hands at least the malicious user won't be able to login or physically read my hard drive.
Adjust Energy Savings:
Dim the backlit keyboard, reduce screen brightness, and adjust the energy saver settings to preserve battery life.

Most Frustrating Features

Speech recognition:
This is an interesting feature that is hit or miss. A few commands work well ("open my browser") while others rarely work ("tell me a joke"). In the end, the trackpad reigns supreme.
No trackpad gesture for Spaces:
Looks like the only alternative is to use a hot corner or keyboard shortcut.

Features With Potential That I May Never Use

Dashboard:
I have setup several active widgets for weather and iTunes but I can access these features outside of dashboard too. The availability of useful widgets will drive my usage of this feature.
Text-to-speech:
This is a nice feature but I only see myself using it while reading an online book.
MobileMe:
I can not justify the yearly cost for Apple's cloud storage when a simple flash drive does the job at a lower cost.

Mac Book Resources

Cleaner Code with One Simple Technique

2010-09-14T19:36:00.027-05:00

What is the simplest technique you can apply to write cleaner code? Clean Code by Robert C. Martin is a very good book that focuses exclusively on writing cleaner code. I read this book several months ago and at a recent code review I was again reminded of the value of this simple technique. The simplest technique to apply for writing cleaner code is to keep functions small!

Advantages of Small Functions

Functions perform one specific responsibility (single responsibility principle)
Functions become very readable
Functions are more likely to descend only one level of abstraction (tip G34 from Bob's book)
Small functions promote reusability and help eliminate duplication
Your favorite IDE makes extract method so simple
Small functions adhere to these valuable coding principles by design

Ideal Function Size

"Continue to extract methods until you can not extract methods anymore. Extract until you drop!" This is Bob's recommendation from his online presentation of Bad Code and Craftsmanship. Personally, I couldn't agree more. For the past three months I have been following this practice and this simple technique has a high return on investment.

Additional Clean Code Tips

Looking for additional clean code tips? Chapter 17 (Smells and Heuristics) in Bob's book is a very quick read and covers sixty-six valuable coding practices. Alternatively, Bob discusses many clean code practices in his online presentation. In fact, he leads off the discussion by focusing on the importance of small functions!

Objective-C for Java Developers

2010-08-31T16:35:00.025-05:00

I actually won Learn Objective-C for Java Developers at the last Twin Cities Java User group meeting. The only stipulation for winning a free book is the expectation that we publish a review of the book online. This is a small task for a free book. Learning Objective-C has been on my todo list for several months anyway. Winning this book simply moved it higher on my priority list.

Review:

Pros:

Many of the Objective-C examples were also shown with their Java counterpart. This added value in two regards. First, it clarified what the example was really doing. I could simply reference the Java version and quickly understand the Objective-C code. Secondly, it allowed me to compare and contrast the two languages. In many cases (but not all) the Objective-C examples contained fewer lines of code.

In addition to the Java and Objective-C examples, the book also had many table-based comparisons for common features (data types, methods). For example, one page listed the Java data types and their Objective-C alternative including their size and range restrictions. Again this helped simplify the learning curve. The table-based charts were also used for common method declarations too. For example, the common String utility methods were shown side-by-side. One column showing Java's String utility method declarations and the other column showing the Objective-C alternative.

Most code examples were a page or less. This helped simplify the learning process by allowing me to focus on more isolated code fragments.

Cons:

Many books that teach a new programming language typically include exercises at the end of each chapter that the reader can take away and complete. This book did not have any. This is a minor complaint. I can definitely think of sample programs to write...

The index does not always serve as a good reference for finding things quickly. For example, I wanted to find more information about logging and "logging" or "NSLog" were not in the index. Need to find the for loop quickly? You will not find it in the index. It is actually found in the index under "Collections, iterating through". The index could have been structured slightly better for quick search keywords.

An Objective-C quick reference guide would have been helpful. This did not bother me too much because about the time I started reading this book DZone released a new Objective-C reference guide. I highly recommend it! In my previous "con" I mentioned that it can be painful to find certain topics (logging, data types, loops) quickly within the index. The DZone refcard provides quick access to those topics and more!

Summary

Overall this book is a very valuable resource for Java developers that want to learn the Objective-C language. The author greatly simplifies the Objective-C learning curve by contrasting many features and examples to its Java equivalent.

Mobile Web Toolkit

2010-07-31T11:52:00.011-05:00

Mobile Web development requires a more abundant set of developer tools than its desktop counterpart. XHTML MP, Wireless CSS, and Mobile JavaScript are all more refined subsets compared to their desktop predecessors. In addition, the Mobile Web offers many new challenges. In particular, device fragmentation and browser inconsistencies will always wreak havoc within this ecosystem. Great tools can help overcome these challenges. Here are a few:

Validating Mobile Sites

How valid is your Mobile Web Site? Find out with these awesome validators. These validators will grade and offer best practice solutions to achieve a more compliant Mobile site. These are also valuable tools for a code review!

Mobile Web Best Practices

Both validators above evaluate mobile sites based upon standards and best practices. Their best practice and standards documentation can be found here:

Device Databases

Device databases simplify device detection. This helps facilitate content adaptation for specific device groupings (smartphones, featurephones, screen size, OS, JavaScript/AJAX support, is wireless, is touchscreen, etc.). For example, Bank of America and Amazon tailor content based on several of these groupings.

WURFL (open source)
DeviceAtlas (commercial)

XHTML Mobile Profile

XHTML MP is the standard markup language for the Mobile Web. Unlike HTML and XHTML, XHTML-MP is featurephone compatible, it is less likely to be transcoded for optimization, and it supports the mobile-optimized Wireless CSS and Mobile JavaScript features. For additional XHTML MP 1.2 features refer to OMA's specification document.

Firefox Add-ons

The following Firefox add-ons are very powerful tools for testing and developing:

User Agent Switcher allows you to alter your user-agent. Now you can simulate a request as any device. For example, I used this technique to test the content adaptation on Bank of America. They alter their content for touchscreen vs non-touchscreen devices. Typically, it is a good practice to provide larger buttons on a touchscreen device.
Modify Headers allows you to alter your HTTP Headers. This also allows us to simulate different types of device behavior. Additionally, if you need to view HTTP Request Headers from a Mobile device Gail Frederick has built a helpful site for that.
XHTML Mobile Profile enables the Firefox browser to render XHTML MP markup documents.
Small Screen Renderer allows you to simulate the screen size of a mobile device.

Device Testing Solutions

The ideal testing solution is to test on the physical device. Two virtual device testing solutions exist:

JavaScript & AJAX Compatibility

When device testing is not always feasible, the compatibility tables generated by Peter-Paul Koch are a good alternative. If you need assistance identifying JavaScript compatibility across browsers or devices these tables can definitely help:

CSS Compatibility

If you need assistance identifying CSS compatibility across browsers or devices these tables exit too:

Web Widgets

Web Widgets will allow Mobile Web developers to take advantage of native phone features. The subset is limited but it is a start: Device APIs and Policy Working Group

Book Resources

Beginning Smartphone Web Development: I highly recommend Chapter 8, Optimizing Mobile Markup and Chapter 12, How to Play Well in the Mobile Ecosystem
Mobile Design and Development
Pro Smartphone Cross-Platform Development (Release Date: Aug 2010)

Restful Link Integrity

2010-06-30T18:33:00.012-05:00

How do you secure sensitive information within your URIs? Many of the RESTful examples I have seen expose sensitive information within their links. Often this sensitive data is the identifying key of the entity that is being managed. RESTful Web Services Cookbook briefly discussed two solutions for securing sensitive information within URI's (refer to chapter 12 for details). I will expand upon these two solutions by demonstrating how we can leverage the Jasypt encryption framework to preserve sensitive information.

Initially, we must validate our URI templates do not expose sensitive data. If they do not, there are no concerns. However, if your URI templates expose sensitive data we must preserve their integrity and confidentiality. An example of an insecure URI template may look like:

http://rest.com/account/{account_id}.

If this URI template exposes a clear text account ID we have a security gap. If a security gap exists, we must implement a solution to preserve the integrity and confidentiality of the insecure URIs. Three solutions exist to secure RESTful links:

Hashing

Hashing is an ideal solution if you need to expose data parameters in clear text and want to preserve data integrity. Integrity is the assertion that the data was not altered by the consumer or a man-in-the-middle. With a hash-based solution the RESTful link may look like:

http://rest.com/account?account_id=123456&digest=83r/grjAxjcqe5FE42xRgD6YF00q4DmsJALlfA==

This solution will preserve integrity but it does not provide confidentiality. If the consumer or malicious user alters the account ID a server-side integrity check against the hash algorithm will fail. The JUnit below demonstrates the creation of the digest (hash) and the assertion to validate the integrity of the clear text and digest have been preserved:

@Test
public void testJasyptsHashAlgorithm() {
      /*
       * By default the standard digester uses the RandomSaltGenerator and runs the hash
       * algorithm 1000 times. These are configurable for greater security.
       */
      StandardStringDigester digester = new StandardStringDigester();
      digester.setAlgorithm("SHA-1");
 
      final String clearText = "123456";
      final String digest = digester.digest(clearText);
      Assert.assertTrue("Integrity has been violated!", digester.matches(clearText, digest));
}

Encryption

Encryption is an ideal solution if you want to preserve integrity and confidentiality. For example, an encryption-based RESTful link may look like:

http://rest.com/account/kNddGYRn3KAWK5nYJ/5jrA==

The JUnit below demonstrates the creation of the encrypted text and the assertion to validate the integrity of the encrypted text has been preserved:

@Test
public void testJasyptsEncryptionAlgorithm() {
      StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor();
      encryptor.setPassword("password");
      encryptor.setAlgorithm("PBEWithMD5AndTripleDES"); 
 
      final String clearText = "123456";
      String encryptedText = encryptor.encrypt(clearText);
 
      String decryptedText = null;
      try {
           decryptedText = encryptor.decrypt(encryptedText);
      } catch (EncryptionOperationNotPossibleException e) {
           Assert.fail("Integrity has been violated!");
      }
      Assert.assertEquals(clearText, decryptedText);
}

Do not expose sensitive data

The ideal solution is to not expose any sensitive information. Alternatively, instead of exposing a sensitive primary key expose an associative key or index that has no identifying relationship to the entity. A common scenario occurs when consumers need to search and maintain records. Consider the following use case:

User performs a search
The server-side executes the search and stores the list of authorized search results within session
The server only exposes the indexes of the entities the consumer is allowed to maintain: http://rest.com/account/{index_id}

This solution preserves integrity by restricting the user to only maintain the records they are authorized to manage and we do not expose a confidential primary key.

NoSQL

2010-06-16T05:54:00.002-05:00

What is the one language that has not changed since you learned it in college? SQL is definitely one of them. In fact, SQL has only received minor updates over the past decade. For DBA's, this has been a luxury. Is NoSQL positioned to change this stability? NoSQL does not change SQL or relational databases, it simply provides a non-relational repository alternative. The last Twin Cities Java User Group presentation given by Perry Hoekstra provided a very good summary of NoSQL's advantages and disadvantages. Here is a recap:

Advantages

Performance metrics have shown significant improvements vs relational access. For example, this performance metric compares MySQL vs Cassandra:

Inexpensive. All NoSQL implementations except for Amazon's Dynamo are open source.
Data types are dynamic (typically strings). However, each implementation defines their own data types.
Scales very well.

Disadvantages

Bleeding Edge (right now).
Replication across a cluster is not guaranteed in real-time. Synchronization will happen. However, the "when" is currently documented as unknown.
Third-party report tool (Business Objects, Cognos, etc.) integration is currently not available.
Data redundancy is likely to occur without relational tables.
The application code performs the SQL-like operations.
ORM capabilities do not exist yet.
Transaction capabilites do not exist yet. However, Cassandra will have this feature soon.
No GUI editor tool support.

Early Adopters of NoSQL

Social media corporations are the primary trailblazers of NoSQL implementations. The list includes:

Facebook
Twitter
MySpace
Google (Hadoop, Google App Engine)
Amazon (Dynamo)

Resources

MinneBar 2010 Recap

2010-05-23T09:42:00.001-05:00

Minnebar is an (un)conference aimed at getting those in Minnesota’s tech and design communities together to discuss topics that interest them. This (un)conference is unique for several reasons. 1) It's free. However, donations are welcome. For $10 this was the cheapest tech conference I have ever attended. 2) Admission included: breakfast, lunch, snacks, open bar, and of course 8 concurrent session to choose from!

Schedule

Google Page Speed

Key points:

Google Page Speed is similar to YSlow. It evaluates the performance of your website, displays the metrics, and lists optimization strategies to improve your score. It can be downloaded as a Firefox plug-in.

Room and Bored

Key points:

Is college broken when it comes to Information Technology? This was the topic that was discussed. Personally, I do not see anything broken with college. However, it is very important to supplement real world experience with an IT degree. For example, if you are in High School and want to pursue a career in IT then join your local IT community. It's never too soon. In addition, try finding part-time IT jobs or work for free. There is no substitute for real world experience in addition to an awesome college degree.

"I'm a guru not a God!" A Tao of System Architecture

Key points:

Characteristics of successful software systems were discussed. Many common themes were discussed: KISS, don't reinvent the wheel, open/closed principle, etc. In addition to those common traits the one characteristic that topped the list pertained to bureaucracy. Mark Beckman noted that "bureaucracy is evil and should be severely limited".
"Bureaucracy frustrates people, distorts their priorities, limits their dreams and turns the face of the entire enterprise inward." -- Jack Welch, GE Annual Report, 2000
Lean processes are preferred. We must eliminate the overhead of simple tasks. How quickly can you deploy to production or setup a new development environment? Is the process simple or not? Cloud computing has few hurdles and provides an alternative for departments seeking simpler process.

Mapping Your World with OpenStreetMap

Key points:

OpenStreetMap is a Wikipedia of maps allowing anyone to edit the map. Now we can map our favorite tennis courts, hiking trails, or archery range!
Topo maps are currently in development.
Cloudmade can be used for driving directions

Why Drupal? An expert panel

Key points:

Drupal is an open source CMS solution. If you are interested in Drupal, there is a Twin Cities Drupal group.

Getting started with CSS3

Key points:

New CSS3 features that you should be using today include:
- RGB colors with opacity
- border-radius for more elegant rounded corners
- box-shadow for a drop shadow effect
- tr:nth-child for alternate row colors

Overall, Minnebar was a hit! The attendance was extremely high with roughly 800-900 attendees. The venue at Best Buy was fantastic. However, next time they should increase the number of available WIFI hotspots. The network was overloaded. I can't wait for the fall show!

Mobile Security Hacks to Avoid

2010-04-13T18:47:00.006-05:00

The average cost of a data breach is $6.75 million. While some argue that data breaches cannot be prevented, training and education can prove to be a very effective remedy.

Hacking: The Next Generation is an extremely good book filled with detailed examples on how hackers maliciously attack unsuspecting users. While this book primarily discusses the offensive strategies hackers employ, I am going to discuss several countermeasures to help secure mobile users. Mobile vulnerabilities typically fall under one or more of the following categories:

WIFI Hacks

TJ Maxx suffered a $4.5 billion data breach because they had a WIFI security vulnerability in one of their stores. WIFI networks can be extremely insecure and they provide hackers two attack options.

Passive Attacks

Passive attacks are when hackers utilize tools to scan the WIFI network for streams of personal data. The hacker is hoping an unaware user will enter personal information from a non-secured web site. For example, MySpace still allows users to log in unsecured (non-https). Your user credentials will pass the wire in clear text! The hacker may attempt to retry those same credentials against your email, corporate, and personal banking sites. Social networking sites often expose these personal details. One potential solution is to never re-use your credentials across multiple sites. Better yet, never enter personal information over an insecure network!

Active Attacks

Active attacks are when hackers setup rogue access points on a WIFI network. From this approach, the hacker is hoping an unsuspecting user connects to their malicious access point. If a connection is established and the unsuspecting user ignores the security vulnerability warnings, the hacker has access to all your personal data even over a secured (https) site.

Defending WIFI attacks

Never enter personal information from insecure (non-https) sites. Look for either "https" within the browsers URL or look for the locked image icon within your browser to determine if the site is secure. Browser warnings can also be configured to alert users when they are not on a secured site.

Validate you are connected to a trusted WIFI access point. Most browsers can protect and alert users of this attack. For example, from IE you would see a warning shown in Figure 1 below. However, most users may not completely understand the warning and may ignore it completely. For example, if you need to board a plane in 15-minutes and need to send an urgent email what do you do? In IE, the security setting to enable this check is shown in Figure 2 and is enabled by default.

Figure 1.

Figure 2.

Validate strong encryption is used on your wireless network. WPA is preferred. For example, if you are still using WEP encryption for your home wireless network you should upgrade. There are tools that allow hackers to crack WEP encryption relatively quickly.

Encrypt sensitive documents. Encryption adds an additional layer of security. If you have personal documents saved locally they should be encrypted. Also, when sending sensitive documents those should be encrypted too.

Stolen Phone

The most common type of data breach is from physically stolen devices. Forty percent of data breaches fall under this category. Additionally, hackers may use CSI sticks to extract all data and leave your phone behind. So do not assume that your data has not been tampered with if you still have your phone in hand.

Defending Stolen Phone

Encrypt sensitive documents!

Remotely erase your phone if it is lost or stolen. For example, Mobile Defense is an Android app that can remotely find, lock, backup, and erase your phone.

Voice Mail Hacking

Can you access your mobile voicemail from your cellphone without entering a PIN? If you can, you may be susceptible to caller ID spoofing. Make sure a PIN is required for all voicemail access. Nitesh Dhanjani has a detailed blog posting about this attack.

Top 5 Home Screen Features For Android Developers

2010-03-27T07:25:00.012-05:00

Android has several very intriguing components that add many dynamic capabilities to your home screen. The trend is slowly migrating towards dynamic home screens. The static screens you have been accustomed to are over. Users want access to information faster and with fewer clicks. Patent filings are a very good barometer for the future direction of mobile operating systems and home screen patents are one of them. Dynamic home screens are definitely a trend. In fact, Android provides many intriguing home screen components that you can leverage right now to create a more efficient and dramatic user experience:

App Widgets

App Widgets are small application components that you can embed on your home screen. If you need instant access to important data, these compact portlet-like components are an ideal choice.
Advantages:

Compact design
Provides portlet-like capabilities for your home screen
Quick and simple to access
Refresh frequency is configurable

Quick Search Box

The Quick Search Box is an extremely powerful feature. It is the ubiquitous Google search function available directly on your Android device. In addition to its Google Web search capabilities, users can also search their local device and applications too. The only caveat with Quick Search is that users must opt-in to search their applications.
Advantages:

The only search function your device will ever need
Leverages the power of Google Search
Displays results in a consistent framework
Available directly from your home screen

Live Wallpapers

Live Wallpapers are interactive backgrounds that are available on your home screen. Most of the current Live Wallpaper apps in this space are of the fun and whimsical type. However, if you wanted your calendar, appointments, or stock streamer available here it can be accomplished.
Advantages:

Quick and simple to access
Refresh frequency can be customized
These are simply apps exposed to the background

Live Folders

A Live Folder is a real-time view of data. Live Folders can be launched from your home screen via a shortcut.
Advantages:

Quick and simple to access
Data is refreshed in real-time

Status Bar Notifications

Status Bar Notifications conveniently alert the user from the home screen. In addition to an icon or text notification you can also be notified via sound, vibration, or flashing lights.
Advantages:

Quick and simple to access
Alerts can notify users in real-time

No Fluff Just Stuff: Minneapolis Summary (Spring)

2010-03-14T23:22:00.004-05:00

The No Fluff Just Stuff conference was back in Minneapolis. Here is a brief recap of the sessions I attended:

Encryption on the JVM: Boot Camp

Key points:

Anything can be cracked with time, money, and hardware. The goal is to make it an infeasible task.
The Java Cryptography Extention (JCE) within the JDK is a good library. However, JASYPT was the speakers preferred encryption library.
Is all of your sensitive information encrypted?

Encryption on the JVM: Advanced Techniques

Key points:

WIFI networks are not secure. There are plenty of software tools available today that can crack WIFI security algorithms (WEP or WPA).
The unfortunate companies that are exploited for encryption vulnerabilities may appear in the Non-Encrypted Hall of Shame
Top 25 most dangerous programming errors

Hadoop: Divide and Conquer Gigantic Datasets (Intro)

Key points:

Hadoop is an extremely performant solution for searching enormous amounts (terabytes) of unstructured data (HTML, XML, images). The performance advantage is achieved from partitioning the search across a cluster of worker nodes.

Keynote: How (not why) Agile Works!

Key points:

Agile works for the following three reasons:
1. It provides continuous feedback loops
2. Improves communication
3. It is fun!

Grails - How to Build Enterprise Apps

Key points:

The GORM capabilities are nice. It is not necessary to code trivial finder methods. For example, Person.findAllByAgeLessThan(16) is implicitly available. The convention works as follows: .findAllBy(). Very convenient.

Implementing Evolutionary Architecture

Key points:

Restful Web Services are appealing because they are scalable and free.
What is the value of leveraging Hypermedia as the engine of application state (HATEAOS)? This strategy completely decouples the server-side workflow from the client. For example, imagine we have a wizard-style workflow where the user makes decisions and clicks the "next" button as they continue through each step. As the server processes the requests, it will update the state of the workflow and respond with a list of allowable transitions (URI links) that the user may perform next. What is the advantage? If the workflow changes in the future we only have to update the workflow on the server-side. No client-side changes will be necessary because the server is dynamically driving the UI's navigation by returning the allowable URI links following each request.

Implementing Emergent Design

Key points:

Code == Design
Delay design decisions until the last responsible moment.
Eliminating technical debt must be a continuous process. You may evaluate your technical debt with Sonar.
Code analysis tools:
- ckjm (analyze coupling)
- x-ray (Eclipse plug-in to analyze system complexity)
- Structure101 (Currently used on the Spring framework)

HTML 5 ... and the Kitchen Sink

Key points:

Preview of HTML5
Supported browsers and features
HTML 5 GeoLocation Demo (Only works in Firefox)
Canvas example

Architecting Code for Concurrent Execution

Key points:

The preferred design strategy is to manage concurrency concerns at an architectural level. Traditionally, we have leveraged concurrency via Java's synchronized keyword at the method level. Successfully managing concurrency at a low level can become challenging. Instead, prefer to leverage architectural design patterns to simplify concurrency management. Several design patterns for consideration include:
Functional languages are inherently thread-safe because all their objects are immutable.

Introducing Spring Roo

Key points:

Spring Roo can help provide Grails-like scaffolding. A valuable tool for rapid prototyping.

Android: Ideal Platform for Busy Java Developers

2010-02-07T08:12:00.012-06:00

Android is an appealing technology for Java developers. The platform provides many new capabilities and possibilities. In addition, the learning curve is relatively small.

**Learning Curve Matrix**
Tool	Skillset		Description
Tool	New	Existing	Description
Java		X	Android applications are written using the Java programming language. This should be a major advantage for Android because the Java community is extremely strong. A skillset that deserves more attention when developing mobile applications is performance. Java developers must adhere to coding practices that optimize performance. Mobile development is the only platform where production devices will run much slower than your local development environment. For example, the emulator running on your local PC will have much greater network bandwidth, RAM, and processing power compared to the mobile devices running in production. Although, within Eclipse you can configure the network speed you want your emulator to simulate. This is a valuable feature for simulating the speed of your application across different performing mobile networks.
Android SDK	X		The Android SDK is the only new skillset that must be acquired for existing Java developers. The Android developer documentation is very informative and the SDK install has sample applications for nearly every SDK feature. In addition to learning the SDK, developers will also need to become familiar with the Android architecture, lifecycle, and mobile design guidelines. Android's developer documentation contains substantial information within each of these areas.
IDE		X	The preferred IDE for developing Android applications is with Eclipse and the Android Development Tools (ADT) plugin. Experienced Eclipse developers should have a complete development environment setup in about ten minutes when following the quick start guide. However, other IDE's are supported for Android development too.
Debugger		X	Debugging Android applications is simple. It is identical to what you have become accustomed to within Eclipse. Simply set your breakpoints and run your application in Debug mode. The Dalvik Debug Monitor Server (DDMS) is an extremely helpful debug tool that's included within the ADT plugin. It contains features for monitoring threads, CPU usage, memory consumption, and garbage collection. In addition, it allows the developer to mock incoming calls, SMS messages, location controls (GPS positioning), and network speed and latency.
Deploy		X	Running your Android application is identical to running a Java application. Within Eclipse, you simply right-click on your project and select Run As -> Android Application.

Again, the ideal advantage Android has for Java developers is the rapid setup and the productivity of leveraging many existing skills. Mobile development requires application developers to think in a slightly new paradigm. Android allows Java developers to focus on this new paradigm exclusively.

Favorite Android Links

Bulletproof SSO with SAML 2.0

2010-01-16T06:40:00.008-06:00

Bulletproof status is difficult to achieve. Even bulletproof glass is a myth. Is it possible to achieve bulletproof status with an SSO implementation? First, lets start with a code review checklist of assertions that must all pass in order to achieve bulletproof status.

Code Review Checklist for a Web Browser SSO Profile

The Web Browser SSO Profile with Redirect/POST bindings is the most common SSO implementation. The checklist will focus primarily on this profile. If interested, Google has an extremely helpful static demo and reference implementation of this SSO profile online.

Validate Message Confidentiality and Integrity

SSL 3.0 is the most common solution to guarantee message confidentiality and integrity. Refer to SAML Security (section 4) for additional information. This step will help counter the following attacks:
- Eavesdropping 7.1.1.1
- Theft of User Authentication Information 7.1.1.2
- Theft of the Bearer Token 7.1.1.3
- Message Deletion 7.1.1.6
- Message Modification 7.1.1.7
- Man-in-the-middle 7.1.1.8

A digitally signed message with a certified key is the most common solution to guarantee message integrity and authentication. Refer to SAML Security (section 4) for additional information. This step will help counter the following attacks:
- Man-in-the-middle 6.4.2
- Forged Assertion 6.4.3

Validate Protocol Usage

This is a common area for security gaps. In fact, Google's original SSO implementation suffered from a severe security flaw in this area. The flaw was identified with SATMC, a state-of-the-art model checker for security protocols. Their SSO profile was vulnerable to a Man-in-the-middle attack from a malicious SP (Service Provider). As ironic as it seems, the SSO Web Browser Profile is most susceptible to attacks from trusted partners. This particular security flaw was exposed because the SAML Response did not contain all of the required data elements necessary for a secure message exchange. Following the SAML Profile usage requirements for AuthnRequest (4.1.4.1) and Response (4.1.4.2) will help counter this attack. The Formal Analysis team documented these requirements in much simpler notation. Their documentation for required data elements were as follows:

AuthnRequest(ID, SP); An AuthnRequest must contain and ID and SP. Where ID is a string uniquely identifying the request and an SP identifies the Service Provider that initiated the request. Furthermore, the request ID attribute must be returned in the response (InResponseTo="<requestId>"). InResponseTo helps guarantee authenticity of the response from the trusted IdP. This was one of the missing attributes that left Google's SSO vulnerable.

Response(ID, SP, IdP, {AA} K -1/IdP); A Response must contain all these elements. Where ID is a string uniquely identifying the response. SP identifies the recipient of the response. IdP identifies the identity provider authorizing the response. {AA} K -1/IdP is the assertion digitally signed with the private key of the IdP.

AuthAssert(ID, C, IdP, SP); An authentication assertion must exist within the Response. It must contain an ID, a client (C), an identity provider (IdP), and a service provider (SP) identifier.

Validate Protocol Processing Rules

This is another common area for security gaps simply because of the vast number of steps to assert. Processing a SAML response is an expensive operation but all steps must be validated.

Validate AuthnRequest processing rules. Refer to SAML Core (3.4.1.4) for all AuthnRequest processing rules. This step will help counter the following attacks:
- Man-in-the-middle (6.4.2)

Validate Response processing rules. Refer to SAML Profiles (4.1.4.3) for all Response processing rules. This step will help counter the following attacks:
- Stolen Assertion (6.4.1)
- Man-in-the-middle (6.4.2)
- Forged Assertion (6.4.3)
- Browser State Exposure (6.4.4)

Validate Binding Implementation

For an HTTP Redirect Binding refer to SAML Binding (3.4). To view an encoding example, you may want to reference RequestUtil.java found within Google's reference implementation.

For an HTTP POST Binding refer to SAML Binding (3.5). The caching considerations are also very important. If a SAML protocol message gets cached, it can subsequently be used as a Stolen Assertion (6.4.1) or Replay (6.4.5) attack.

Validate Security Countermeasures

Revisit each security threat that exists within the SAML Security document and assert you have applied the appropriate countermeasures for threats that may exist for your particular implementation. Additional countermeasures considererd should include:

Prefer IP Filtering when appropriate. For example, this countermeasure could have prevented Google's initial security flaw if Google provided each trusted partner with a separate endpoint and setup an IP filter for each endpoint. This step will help counter the following attacks:
- Stolen Assertion (6.4.1)
- Man-in-the-middle (6.4.2)

Prefer short lifetimes on the SAML Response. This step will help counter the following attacks:
- Stolen Assertion (6.4.1)
- Browser State Exposure (6.4.4)

Prefer OneTimeUse on the SAML Response. This step will help counter the following attacks:
- Browser State Exposure (6.4.4)
- Replay (6.4.5)

Need an architectural diagram? The SAML technical overview contains the most complete diagrams. For the Web Browser SSO Profile with Redirect/POST bindings refer to the section 4.1.3. In fact, of all the SAML documentation, the technical overview is the most valuable from a high-level perspective.

97 Things Every Project Manager Should Know

2009-11-30T17:15:00.012-06:00

I have now finished reading each book within the 97 series:

As expected, most topics within this book emphasized the importance of communication and people. Barbee Davis, the author of the book also has a 60-minute Webcast about this book that you may be interested in if you can not get your hands on the book.

My Favorite Tips:

Success Is Always Measured in Business Value (Page 36) by Barbee Davis
- Favorite Quote:
  "We need to focus on the fact that the project is only as successful as the business value it adds to the organization."
- Key Message:
  It is extremely important that everyone involved on the project is aware of the business value the project will deliver. This will clarify the project objective and it allows the team to focus on a single team goal. Most developers focus on code quality, good design principles, and code maintenance. While all of those attributes are valuable, none is more important than the business value that your team ultimately delivers for your customer.

Value Results, Not Just Effort (Page 58) by Venkat Subramaniam
- Favorite Quote:
  "Encourage programmers to report the progress they make, rather than how long they work. Let them know that you care about getting results rather than keeping track of how long they spent at the computer."
- Key Message:
  We typically track effort because it is the simpler of the two metrics to calculate. The time sheet will show effort. Alternatively, results will require a calculation of hours worked and velocity. Ultimately, the focus must be on maximizing velocity and not just effort.

Developer Productivity: Skilled Versus Average (Page 26) by Neal Ford
- Favorite Quote:
  "Understand that really good software developers are much more productive than average ones. In fact, some statistics say that really good developers are multiple orders of magnitude better than poor ones."
- Key Message:
  Dave Thomas gave a similar talk about this topic in 2003. Continuous learning is the key point within this post. Combined with the right tools and knowledge you will see greater efficiency gains on your projects. The real challenge is allocating time to focus on your continuous learning efforts.

Provide Regular Time to Focus (Page 40) by James Leigh
- Favorite Quote:
  "Typically, a person takes about 20 minutes to regain his train of thought after one of these interruptions. A 5-minute question actually costs 25 minutes. Interruptions and recovery time consume 28% of a typical knowledge worker's day."
- Key Message:
  Interruptions are not going away. In fact, actually responding to questions and attending meetings will improve productivity for others within the team. What's the solution to the interruption problem? There is no ideal solution to this problem. However, if you provide good documentation, training, and education, interruptions should be diminished. If you still find that distractions are an occurrence, try working several hours outside of core hours. There will be fewer interruptions outside core hours. While interruptions will not go away, you can configure your daily schedule to find more ideal focus time.

Add Talents, Not Skills, to Your Team (Page 14) by Richard Sheridan
- Favorite Quote:
  "My advice to anyone seeking to build a strong team is to hire for talents, not for skills. What talents do I look for when hiring technologists for my development teams? Good kindergarten skills:"
- Key Message:
  This tip changed the way thought about hiring. I was a believer in tech skills first and team skills second. Tech skills can be learned relatively quickly. The same can not always be said about team skills.

97 Things Every Programmer Should Know

2009-10-30T07:13:00.025-05:00

The 97 series now consists of the following titles:

The architect book was very good. The programming topics were also good but I found more value within the architecture discussions. I definitely want to get my hands on the project management book soon. I have a feeling that one will be a bit more humorous.

My Favorite Things Programmers Should Know:

The Professional Programmer by Uncle Bob
- Favorite Quote:
  "Professionals are responsible. They take responsibility for their own careers. They take responsibility for making sure their code works properly. They take responsibility for the quality of their workmanship. They do not abandon their principles when deadlines loom. Indeed, when the pressure mounts, professionals hold ever tighter to the disciplines they know are right".
- Key Message:
  This post was unquestionably at the top of the my list. The entire message is about personal responsibility. This one's a wall hanger. Print it out, frame it, and hang it up! This post reminded me of the talk I heard Dave Thomas give many years ago at No Fluff Just Stuff.
Don't Rely on "Magic Happens Here" by Alan Griffiths
- Favorite Quote:
  "You don't have to understand all the magic that makes your project work, but it doesn't hurt to understand some of it — or to appreciate someone who understands the bits you don't."
- Key Message:
  Can you fulfill the roles of every individual on your last project? Image how valuable you'd be if you could. Again, the more knowledge you have, the more efficient you and your project will be.

Hard Work Does not Pay off by Olve Maudal
- Favorite Quote:
  "programming and software development as a whole involve a continuous learning process."
- Key Message:
  Continuous learning is the key point within this post. Combined with the right tools and knowledge you will see greater efficiency gains on your projects. The real challenge is allocating time to focus on your continuous learning efforts.

First Write, Second Copy, third Refactor by Mario Fusco
- Favorite Quote:
  "So the first time you are implementing something new, write it in the most readable, plain, and effective way. It is definitely too early to put the general part of your algorithm in an abstract class and move its specialization to the concrete one or to employ any other generalization pattern".
  
  "The second time you face a problem that resembles the one you solved before, the temptation to refactor that first implementation in order to accommodate both these needs is even stronger. But it may still be too early. It may be a better idea to resist that temptation and do the quickest, safest, and easiest thing it comes you in mind: Copy your first implementation".
  
  "When you need that solution for the third time, even if to satisfy a slightly different requirement, the time is right to put your brain to work and look for a general solution that elegantly solves all your three problems. Now you are using that algorithm in three different places and for three different purposes, so you can easily isolate its core and make it usable for all three cases".
- Key Message:
  The Rule of Three also applies for reuseability. For example, in order for a solution to be classified as a design pattern the rule of three must apply. If you can successfully apply the same pattern across three separate systems you have a design pattern. Furthermore, this rule also applies to API design. If your API can successfully be consumed by three separate clients, you have a very concrete and proven design. Applying the Rule of Three for shared services or libraries is also valuable.

YUI to the rescue

2009-09-30T18:49:00.002-05:00

Are you still rolling your own HTML user interface components? If you are, take a look at what YUI has to offer. The advantages of leveraging YUI's standard components are abundant.

YUI Advantages:

Saves cost on development effort. The suite of controls are already developed and tested. This allows your team to work on more valuable tasks.
Excellent performance. YUI has adopted many of the great performance improvement practices that were identified in Best Practices for Speeding Up Your Web Site. Several of the performance improvements include:
- Minified JavaScript and CSS files. This will improve page load performance with smaller files to download.
- Aggregated or rolled-up JavaScript and CSS files. This will improve page load performance with fewer HTTP requests.
- Yahoo will host the files on their own Content Delivery Network. In addition, Yahoo will compress and cache all of their controls for even greater performance. They also manage versioning.
Components are supported across all A-Grade browsers
Helps non-UI experts design beautiful user interfaces. Yahoo provides the design and CSS layout for all of their components.
508 compliant. All components are screen reader accessible.
All components already have extensive documentation with many examples.
Reusable. You can apply the YUI controls everywhere because they are not proprietary.
Technology agnostic. These controls can be applied across all Web environments regardless of technology (Java, .NET, Rails, etc.).
Support many features that allow you to change behavior without customizing the code.
Thier code is clean. I validated their JavaScript with JSLint and few errors were reported. I also validated their CSS files and no major issues existed either.

YUI Disadvantages:

Some controls are not bullet proof. For example, there is a sorting issue with their datatable control if you embed the component within a table. However, this is not an issue if you are working in a CSS based design.
They do not have everything but the list is extensive.

Recommendations:

Try to avoid customizations. Customizing the code will make it difficult to migrate to newer versions in the future.

Preventing Buffer Overflow Attacks

2009-08-31T21:36:00.003-05:00

Is your website resilient enough to withstand a buffer overflow attack? A buffer overflow attack is actually one of the simpler attacks a malicious user may attempt. Imagine the following scenario. You have a public facing web page that allows unauthorized users to submit data. A malicious user probes your site to see if you have exposed this vulnerability. If your site is at risk, it may only take minutes for the user to bring your site down if they employ a botnet attack.

The Attack

The simplest attack method is for malicious users to throw overloading (2GB - 8GB) amounts of data in a text field in hopes of crashing the server due to out of memory errors.

The Prevention

Bounds checking on the server-side is the most effective solution for preventing buffer overflows. For example, if you are using Spring's annotation-based validation this is all you would need:
```
/**
 *
 * Spring's annotation reference documentation
 * Configuration setup example
 */
public class Student {
 
 @NotBlank
 @Length(max = 50) 
 private String firstName;
 
 @Length(min = 1, max = 50) 
 private String lastName;
 
}
```
HTML's maxlength attribute is NOT sufficient:
```
<input type="text" name="firstName" maxlength="50" />
```
This is not secure because there are tools that will enable users to bypass this HTML tier of validation. You must perform max length validation on the server-side as in the example above.
Leverage the bulkhead stability pattern to decouple your authenticated business critical applications from your publicly exposed (more vulnerable) applications. The goal of this pattern is to preserve the stability for a particular group of customers. Most software attacks are targeted at publicly available web sites. You should leverage this pattern if you want to help preserve the stability of your authenticated users during an attack on your publicly available sites.
Prefer to keep public data out of session. This simple solution will help preserve memory if a user attempts a buffer overflow attack.

JavaScript Singletons

2009-07-31T20:00:00.029-05:00

JavaScript singletons are relatively simple to create. With two additional characters you can define your object as a singleton. I'll show how this is accomplished in a moment. In my prior JavaScript post I talked about why the module pattern was preferred for creating objects. Those objects were prototype-based and multiple instances were allowed. The following examples illustrate the preferred way to create singletons with the Module pattern. This should be your preferred creational pattern for creating JavaScript singletons.

Singleton Pattern Example #1:

/*
 * Singleton counter example.
 */
var mySingletonCounter = function() {
 
   /* private, static variables */
   var count = 0;

   return {
      /* public methods */
      increment: function (inc) {
           alert('Adding ' + inc + ' to count.');
           count += inc;
      },
 
      getCount: function() {
           alert('The current count is ' + count);
           return count;
      }
   };
}(); // <- These two parentheses define the object as a singleton.  It assigns the result of invoking this function to mySingletonCounter.

To exercise the singleton, the button below will execute the following code:

mySingletonCounter.increment(2); mySingletonCounter.getCount();

Run Singleton Counter

Singleton Pattern Example #2:

/*
 * Singleton data access example.
 */
var mySingletonData = function() {
 
   /* private, static variables */
   var data = {
       1: "Harry Potter and the Philosopher's Stone",
       2: "Harry Potter and the Chamber of Secrets",
       3: "Harry Potter and the Prisoner of Azkaban"
   };

   return {
      /* public methods */
      getData: function() {
           return data;
      }
   };
}();

Reference the singleton object in the following manner:

mySingletonData.getData()[2];

Run Singleton Data

Advantages:

It is extremely simple to declare a JavaScript object as a singleton. More dynamic languages are focusing on simplicity. For example, Groovy has recently provided the @Singleton transformation to simplify Singleton creation.
Improved run-time performance vs the prototype-based creational pattern.
You still leverage all the advantages that the module pattern provides.

Agile: A requirements change is a competitive advantage

2009-06-27T10:02:00.019-05:00

At what point in the lifecycle should requirements be locked down?

Before development begins
Never
Somewhere in between

Most developers will immediately choose "Before development begins" for simplicity. However, if you work in an agile environment that responds well to change then there are many advantages to "Never".

Advantages of Changing Requirements

Changing requirements will improve the product and should give you a competitive advantage.
Changing requirements will evaluate the efficiencies of your development, QA, and deployment processes. Highly effective or agile teams will deliver the new requirement relatively pain-free.
Changing requirements encourage automation throughout the lifecycle. The important factor here is that it encourages automation across all departments (development, QA, deployment). The following attributes must exist within each department for this strategy to be successful:
- Development:
- QA:
- Deployment:

Software must be delivered faster so the customer's can identify the change points sooner in the lifecycle. The goal is to deliver testable software quicker. How many of you deliver testable code after iteration one? How many of you have customer demos of working software after iteration one? The goal is to identify changes sooner in the lifecycle and this will help minimize the risk of failing to meet your production delivery date.

Disadvantages of Changing Requirements

Changing requirements may delay the project. This is where the debate typically begins. However, if you initially plan for some percentage of change you should be fine. Identifying change early in the lifecycle will also help remedy the impact.

The Hybrid Example

Which auto makers were most successful with their hybrid initiatives? It was the automakers that adopted lean/agile practices many years ago. The automakers that did not change soon enough are now scrambling to recover. Changing requirements can have a huge competitive advantage if your environment responds well to change. A key attribute of being agile is adapting to change.

JavaScript: The Good Parts

2009-05-07T21:12:00.031-05:00

What's the most popular functional language? JavaScript is. And if you are interested in learning the finer points of the language I recommend Douglas Crockford's latest book titled JavaScript: The Good Parts. It is a very quick read at only 145 pages! The most valuable lesson I learned from the book was the correct way to create JavaScript objects with the Module Pattern. The following examples illustrate the Module pattern. This creational pattern leverages closure to achieve encapsulation, information hiding, and global safety. No other JavaScript creational pattern provides these capabilities. This should be your preferred creational pattern in JavaScript.

Module Pattern Examples:

/**
 * A search module that provides the ability to search by name.
 */
var search = function (criteria) {
    /* private variables */
    var name = criteria.name;
 
    /* private methods */
    var renderResponse = function() {
        alert('rendering response for: ' + name);
    };
 
    /* return our public API methods */
    return {
        execute: function() {
            alert('searching for: ' + name);  // Perform an AJAX search
            renderResponse();                    // Perform renderResponse as part of the AJAX callback.
        }
    };
};

Instantiate a new search object:

search({'name':'Johnny'}).execute();

Run search example

Alternatively, if you prefer to return your public API methods via assignment you may find this example to be simpler:

var search = function (criteria) {
    /* private variables */
    var that = {};
    var name = criteria.name;
 
    /* private methods */
    var renderResponse = function() {
        alert('rendering response for: ' + name);
    };
 
    /* Assign public API methods to that. */
    that.execute = function () {
        alert('searching for: ' + name); // Perform an AJAX search
        renderResponse();                   // Perform renderResponse as part of the AJAX callback.
    }
 
    return that;  // return by assignment example.
};

Module Pattern Advantages

Improved encapsulation. For example, if the renderResponse functionality is only pertinent to search, we can encapsulate that behavior within the search object.
Better information hiding. No consumers of the search module will be able to call renderResponse directly because it is private.
The objects are global-safe. You will not see any references to the this keyword anywhere. This will eliminate any possibility of altering global variables.
Requires less effort than other creational patterns (pseudoclassical pattern, Object.create pattern).

JavaScript Resources:

JavaScript: The Good Parts presentation from the Google Code Blog.
In particular, I found the following sections within JavaScript: The Good Parts to be most valuable for me. These mere ten pages of content were worth the cost of the book!:
- Chapter 4 (Functions):
  - Closure
  - Module
- Chapter 5 (Inheritance):
  - Functional
JSLint: an excellent tool for code quality analysis.
Doug Crockford has at least eight JavaScript presentations available at YUI theatre

Kanban: The Good Parts

2009-04-20T21:47:00.006-05:00

Kanban Estimates

Struggling with those developer estimates? If you are, you may want to give Kanban's estimation practice a try. The Kanban methodology almost entirely eliminates the estimation process. Instead of using formal planning and estimation all features have approximately the same size. Hours that were previously burnt estimating are actually spent delivering software. When compared to the Scrum estimation model, this style of estimation is very lean.

Advantages:

Hours previously spent estimating are spent delivering software.
The focus is on delivering software more rapidly vs focusing on when the software will be delivered.
Does not invest heavily in a metric that is not scientific or always accurate.

Disadvantages:

High level estimates are still necessary for resource planning.

Kanban Stand ups

Unlike Scrum stand ups where each individual answers the three magical questions of: what did I do yesterday, what am I doing today, and what issues do I have. Kanban focuses exclusively on issues. For example, the global question now becomes: Does anyone have any issues?

Advantages:

Quicker stand ups.
The stand up scales better for larger teams.
Issues are the main focus.

Disadvantages:

May lose visibility of what each member is working on.

Resources

Secure Computing: Preventing Cross Site Scripting (XSS)

2009-04-06T20:30:00.007-05:00

XSS prevention cheat sheet

The best strategies for preventing Cross Site Scripting can be found in OWASP's XSS prevention cheat sheet. Several important notes include:

You MUST use the escape syntax for the part of the HTML document you're putting untrusted data into. There is no single escape function that can be applied for all output contexts (HTML, CSS, JavaScript). ESAPI has an API that provides encoding rules for a particular output context. Refer to the OWASP's prevention rules for more details.
It is impossible to secure a JavaScript context with escaping. This is an important note because there is no defense to this scenario except to eliminate the output of dynamic content within your JavaScript context entirely.

XSS and JSTL

JSTL used appropriately will protect you from an XSS attack within your HTML context. For example, this a valid JSTL solution:

<%-- XSS safe --%>
<c:out value="${untrusted_data}" escapeXml="true" />

By default, the excapeXml attribute is "true" within the out tag so you don't have to explicitly declare it.

The JSTL expression language alone will NOT protect you from an XSS attack. For example this is not safe and MUST be avoided for all untrusted data:

<%-- Not XSS safe --%>
${untrusted_data}

XSS input validation

Validating input characters for malicious data should not be your only method of prevention. It is recommended to always escape untrusted data on the output side because you account for all data regardless of where the data originated from. Maybe the data was maliciously altered in the database or perhaps your third-party vendor sent harmful data outside HTTP. Input validation does not account for those scenarios and should not be used as your only defense. Output escaping with ESAPI or JSTL covers all bases regardless of where the data originated from. If you prefer to validate user input for XSS you may use regular expressions. A whitelist strategy of allowing positive characters is preferred. For example, the regular expression code below is a whitelist pattern that only allows certain characters as valid input:

public final class ValidationUtils {

     /* Whitelist validation example.  Only allow alphanumerics and special characters: -@&., */
    public final static Pattern VALID_TEXT_FIELD_PATTERN = Pattern.compile("[A-Za-z0-9-@&\\.,\\s]*");
 
    public static final boolean isValid(Pattern pattern, final String value) {
        return pattern.matcher(value).matches();
    }
 
}

XSS and JSON

If you are using JSON on the client-side make sure you also validate your JSON content for malicious data. Douglas Crockford, in his recent book JavaScript: The Good Parts recommends using JSON.parse() for all untrusted content. JSON.parse() will throw an exception if the text contains anything dangerous.

Identify security gaps with Tamper Data

2009-03-26T20:18:00.005-05:00

How secure is your application? Why not perform a security audit yourself. Tamper Data is a very helpful Firefox tool to help identify security gaps your applications may have. Do you really think your hidden form fields are safe? Do you think your select list data can't be altered? Basically, all data exposed to the browser context can be altered by the end user.

Advantages of Tamper Data

Tamper data will show you how easy your data can be attacked. Every post parameter can be altered. This includes hidden fields and select list values.
Tamper data helps emphasize the data you must secure from a malicious user. Are you exposing any identifier values within the browser context? Look for these primary key values. You may find these in edit or search result screens. If you do expose sensitive keys, a malicious user may alter them as they search for sensitive data.
Tamper data makes it very easy for developers to quickly test your application against cross site scripting (XSS) and SQL injection attacks.
QA can leverage Tamper Data to identify security gaps also. This is a practice that is not very common. Tamper Data can simplify this effort.

How to setup Tamper Data

From within Firefox, download: Tamper Data.
After the download is complete, you may access the Tamper Data screen from either the Tools menu or View menu:
Start Tamper data by clicking the "Start Tamper" button:
You can now test your application for any gaps. You may tamper with any post parameter values that appear in the right pane:

Alright, so what are a few strategies for securing our data? In my next post I will discuss a few defensive programming practices to help secure your sensitive data. I'll also expose a JSTL gap that makes you vulnerable to XSS attacks.

Prefer CSS-based designs

2009-03-12T21:26:00.003-05:00

Are you leveraging the full potential of CSS? Traditionally, tabled-based layouts were the standard for structuring content. CSS provides many advantages that we should be leveraging today. In short, table-based designs should forever be deprecated.

Advantages for adopting CSS-based designs:

CSS-based designs render content better in mobile-based browsers. With mobile apps on the rise it is becoming even more important to apply CSS-based designs today on your regular browser applications. Sites designed with CSS layouts offer much better flexibility in regards to how the content is rendered on the UI. For example, given the same content you may apply a different style for your mobile based application vs your non-mobile based application.
Your pages will have less code and become much easier to read. No more <table>, <tr>, and <td> tags to clutter your content!
With less code to maintain, refactoring becomes simpler.
Your UI becomes more accessible.
Lightweight pages will be more performant.

CSS Books:

CSS Mastery:
- This book was the most valuable for me. It's a quick read and their examples are very good. I typically reference their examples first when looking for solutions.
CSS The missing manual:
- This is also a valuable book. This book contains much more content than the prior book and may be targeted for a more introductory audience. Their examples are also good but I typically reference the CSS Mastery examples first.

CSS Tools:

FireBug:
- Arguably the best tool ever invented for Web development. Refer to the FireBug site for their CSS support features. Simply awesome for everything (debugging, JavaScript, CSS)! YSlow is also a helpful FireBug addition that provides an excellent performance report card.
YUI Grids CSS:
- If you are looking for a CSS framework then this may be of value. Their base and grid styles should help with layout while their reset style will help get all browser's on an even playing field. Yahoo has a good demo of its features on their YUI Grids home page.

Spring Webflow: An elegant DSL for your MVC

2009-02-28T08:11:00.019-06:00

Spring Web Flow is an interesting MVC framework. Under the hood, it is an implementation of a Finite State Machine (FSM). However, the beauty of Spring Web Flow is in the simplified DSL templating that Web Flow provides.

First, lets look at a simple example:

<flow start-state="start">
 
    <view-state id="start" view="chooseColor.jsp">
        <transition on="red" to="showRed" />
    </view-state>
    
    <end-state id="showRed" view="red.jsp"/>
 
</flow>

This web flow above has two states and one transition. States in web flow typically correspond to views. In this case, my views are JSP's. Transitions will be triggered based on events. Within a JSP, events correspond to buttons or links. The event or button to trigger the red event is defined here:

<html>
 ... 
  
  <form:form action="${flowExecutionUrl}">
    <input type="submit" name="_eventId_red" value="Red" />
  </form:form>

 ...
</html>

The flowExecutionUrl contains the context-relative URL to the current flow execution's view state. Alright, so what advantages does web flow provide? Here are a few:

Do your business users create use cases or flow charts? If they do, those documents should map uniformly to web flows. In fact, the business users that build the flow charts should be able to interpret your web flow definitions also. Self documenting code that you can also share with the business is valuable.

Spring Web Flow provides an additional scope called flowScope. Most applications suffer from session bloat because many developers put data into session out of convenience and do not always think about its consequence. Web Flow alleviates this problem with their flow scope. For example, flow scope is created when your flow starts. And when your flow ends, all data held within flow scope is cleaned up automatically. Now you are running lean! In the example below we put a list of colors in flowScope:
```
<flow start-state="start">

    <view-state id="start" view="chooseColor.jsp">
      <on-render>
        <evaluate 
            expression="colorService.findAllColors()" 
            result="flowScope.colors" />
      </on-render>
      <transition on="red" to="showRed" />
    </view-state>
    
    <end-state id="showRed" view="red.jsp"/>
</flow>
```

Spring Web Flow also has a built-in expression language. The expression language is a feature that allows you to call your Spring beans conveniently from within your flows. In the example above, we fetched our colors from the ColorService.

There is less code to maintain compared to the other MVC frameworks. You do not need controller objects anymore. However, you still need to create model objects for binding form data to objects. The form binding in web flow is automatic for simple types.

Your flows and transitions can be secured with Spring Security. The example below shows how you may secure your web flow or a transition:

<flow start-state="start">
    <!-- secure the entire flow -->
    <secured attributes="ROLE_USER" /> 
 
    <view-state id="start" view="chooseColor.jsp">
        <transition on="red" to="showRed">
           <!-- secure this transition -->
           <secured attributes="ROLE_ADMIN"/>  
        </transition>
    </view-state>
     
    <end-state id="showRed" view="red.jsp"/>
  
</flow>

You can achieve reuse with subflows and global transitions.

<flow start-state="start">
 
    <view-state id="start" view="chooseColor.jsp">
        <transition on="red" to="showRedSubflow" />
        <transition on="green" to="showGreenSubflow" />
    </view-state>
    
    <!-- subflow states -->
    <subflow-state id="showRedSubflow" 
        subflow="redSubflow.jsp" />
    <subflow-state id="showGreenSubflow" 
        subflow="greenSubflow.jsp" />
    
    <end-state id="thankYou" view="thanks.jsp" />
 
    <!-- If every page had a cancel button we may declare that transition once. -->
    <global-transitions>
      <transition on="cancel" to="cancel.jsp" />
    </global-transitions>
 
</flow>

Web flows are browser button friendly. To achieve this, every view state rendered gets stored as a snapshot. When you press the back button, the previous snapshot is retrieved from the snapshot repository. For performance, you may limit the number of snapshots that exist within the snapshot repository.

Web flows eliminate the double-submit problem. To accomplish this, Spring will apply the POST-REDIRECT-GET pattern to all POST requests. You may also disable this feature if it's not needed or if you want better performance.

As always, Spring has strong JUnit test support to help test your flows.

In conclusion, Spring Web Flow is a very unique MVC framework. It is an ideal solution for simplifying complex work flows. I particularly like the simplicity of the domain specific templating language (DSL), the flowScope, and the expression language capabilities.

Designing for Accessibility

2009-02-19T18:14:00.011-06:00

How accessible is your website? If you are interested in finding out, you may enter your URL at the WAVE website for a quick evaluation. You may also download the WAVE Firefox plug-in for even greater control.

Well, did your site have any errors? Technically, you do not have anything to worry about unless your site is for a government agency. In any case, Web standards are a good thing to design for and this WAVE plug-in can be a great tool to help find any gaps you may have. In addition, this tool can also serve as another check list item for your next client-side code review.

If you are interested in designing for accessibility, the effort is minimal. For example, you can achieve nearly zero accessibility errors by simply focusing on these three categories:

Create accessible forms
Create accessible images with appropriate alt text
Use appropriate heading and table header tags

You may be wondering about dynamic content. If you have dynamically updated content, you will also want to learn about ARIA (Accessibility of Rich Internet Applications). For example, if you have data that gets dynamically updated within a <div> tag you can include aria attributes to notify assistive technologies of dynamic content updates. Here are several examples that demonstrate how to make your dynamic content accessible. There is nothing to install to take advantage of ARIA. ARIA is supported in Firefox 3+ and IE 8+.

In conclusion, the effort involved to implement these accessibility standards is relatively minor. In return, you are designing towards standards, your site is consumable by a larger user base, and you have just given your sales team another competitive advantage. The WAVE plug-in also gives you and your QA team an automated tool to evaluate pages for accessibility compliance.

A Spring Pattern for Error Logging

2009-02-12T18:13:00.010-06:00

Looking for an effective error logging solution? I recently found this pattern from the Pro Spring 2.5 team and it has several very elegant features which include:

It is an AOP based solution so it will prohibit you from infecting your business logic with error logging details. This concept isn’t new. The next two features I thought were more interesting.
The log details are written to a database. In fact, the exception will only get written once. If an identical exception occurs the count of that occurrence will be incremented. This reduces the redundancy that we see in file based solutions.
For reporting purposes, the following exception details will be captured:

number of occurrences (nice feature)
exception name
class and method name
method arguments (nice feature)
stack trace
timestamp of last occurrence

An example report may look like:

There are two components necessary to complete this task. An aspect for identifying the level at which you want to capture exception logging. And secondly, a data access object to manage the persistence. Here's an example of the Spring Aspect that will intercept all Service method calls:

@Aspect
@Component
public class ErrorLoggingAroundAspect {
 
    @Autowired
    private ErrorLogDao errorLogDao;
 
    @Around("execution(* com.mycompany.myproject.service.*Service*.*(..))")
    public Object doBasicProfiling(ProceedingJoinPoint pjp) throws Throwable {
        pjp.getSignature().getName();
        try {
            return pjp.proceed();
        } catch (Throwable t) {
            insertThrowable(t, pjp);
            throw t;
        }
    }
 
 
    private void insertThrowable(Throwable t, ProceedingJoinPoint pjp) throws IOException {
        StringWriter stackTrace = new StringWriter();
        t.printStackTrace(new PrintWriter(stackTrace));
        stackTrace.close();
        StringBuilder methodArgs = new StringBuilder();
        for (Object argument : pjp.getArgs()) {
            if (methodArgs.length() > 0) methodArgs.append(",");
            methodArgs.append(argument);
        }
        methodArgs.insert(0, "(");
        methodArgs.insert(0, pjp.getSignature().getName());
        ErrorLog errorLog = new ErrorLog(
          t.getClass().toString(), stackTrace.toString(), methodArgs.toString());
        this.errorLogDao.insert(errorLog);
    }
}
 
 
public class ErrorLog {
    private String exceptionName;
    private String stackTrace;
    private String method;
    private int count = 1;
 
    public ErrorLog(String exceptionName, String stackTrace, String method) {
     this.exceptionName = exceptionName;
        this.stackTrace = stackTrace;
        this.method = method;
    }
}

Here's the example DAO that will persist the exception to memory. A real solution would persist to a database.

/** Persists to memory.*/
@Repository
public class ErrorLogDaoImpl implements ErrorLogDao {
 
    private List<ErrorLog> errors = Collections.synchronizedList(new LinkedList<ErrorLog>());
 
    public void insert(ErrorLog errorLog) {
        for (ErrorLog log : this.errors) {
            if (log.getMethod().equals(errorLog.getMethod()) &&
                    log.getStackTrace().equals(errorLog.getStackTrace())) {
                log.setCount(log.getCount() + 1);
                return;
            }
        }
        this.errors.add(errorLog);
    }
 
    public List<ErrorLog> getAll() {
        return this.errors;
    }
}

In addition to the code above, you will also need to include <aop:aspectj-autoproxy/> within your Spring configuration file. This tag scans for @Aspect's and turns them into proxies.

Again, I like this solution because it keeps the business-tier clean of logging details, there are no redundant error log messages like we see with file-based solutions, and the persisted data allows for much simpler error reporting. In addition to error logging, I also see this pattern being a good solution for business auditing too.

Pro Spring 2.5: the Good, the Bad, and the Ugly

2009-02-07T11:20:00.023-06:00

Pro Spring 2.5 covers the new 2.5 additions to the Spring framework. The table of contents is viewable from the Apress web site.

The Good:

In addition to the new core framework features (JDBC, AOP, remoting, transaction management) they also included chapters about Spring MVC, Spring Web Flow, JMX, testing, and performance tuning.

The authors do a good job of including introductory content for new Spring users. In fact, the first eight chapters (Part I) were targeted towards users getting started with Spring.

The author's explain many of the new features in great detail and had code examples for nearly everything. However, there are some gaps in their code examples.

If you are a fan of Josh Bloch's puzzler's then you will definitely enjoy some of the code examples. The disappointing point is that these were not intentional mistakes! If you do not like puzzlers, then move this one to the bad and ugly category.

The Bad and Ugly:

The source code examples in this book contained many typos and copy-paste errors. More than I had ever seen an any book previously. Unfortunately, this may cause confusion for new Spring users.

My recommendation (3.9 stars out of 5):
I originally preordered this book based on the reputation of the first Pro Spring book. That book was very good and it had great reviews to back it up. Despite the typo's, I have found value in this book. I have given brown bags on the new features of Spring, Spring MVC, and Spring Web Flow and I gathered most of my content from this book. This book has been a good compliment to the Spring reference documentation. However, If you can't tolerate an occasional typo then you may want to avoid this book completely.

97 Things Every Software Architect Should Know – The Book

2009-02-04T17:35:00.003-06:00

Richard Monson-Haefel's list of 97 Things Every Software Architect Should Know is expected to be released soon by O'Reilly. I personally want to thank Richard for assembling this great list! We have always seen the architectural and programming design pattern books on the shelves but this one will be an awesome compliment.

I think these types of books where content is submitted by many contributors will become much more popular going forward. Career 2.0, by Jared Richardson, is another new book where the content was gathered in a similar fashion. In fact, you may submit your experiences for this book now on their Career 2.0 blog.

Is this a trend? Not sure, but it is interesting.

Developing Expertise

2009-01-27T19:35:00.001-06:00

Looking for an exciting talk on developing expertise? I definitely recommend Dave Thomas' talk on "Herding racehorses and racing sheep." I was fortunate enough to attend this talk at NFJS back in 2003 and it is still a classic. The talk is also very humorous:) The wizard vs wizard argument and the wizard vs novice points were hilarious. Thanks Dave, this advice has been very helpful for me over the years!