- Visual Studio 2008 SP1: To beta, or not to beta?
- Backbase meets AIR
- Ajax Web suite boosts customer interactions
- New Backbase version improves Ajax speed, features
- Cross-domain madness
- When Languages Interfere
- Coding Tip: JavaScript isn't Java, C++, or C#, No Matter How it Looks
- SlickEdit is Nice for JavaScript, Too
- Three New Products from the Bindows Folks
- ReMIX 07
May 13, 2008 | Comments: (0)
Visual Studio 2008 SP1: To beta, or not to beta?
As I mentioned in An old Visual Studio problem rears its ugly head back in February, I've been looking forward to SP1 for Visual Studio 2008 and NET Framework 3.5. Why? These are supposed to fix most of the problems I've been having with Visual Studio, and restore most of the functionality that was cut from the initial 2008 release.
SP1 is out, but only as a first beta-test version. As is true with most beta-test products, there are risks to running it, ranging from a high likelihood of encountering new bugs to a low likelihood of trashing your system to the point where your most effective option is to reinstall Windows from scratch on a newly formatted partition, also known by the woodworking analogy of scraping your drive down to the bare bits.
The list of improvements in this version is impressive. Both Scott Guthrie and Brad Abrams have discussed these in their blogs. Brad does a great job of covering new features; Scott does too, in a slightly different way, and also highlights the known incompatibilities.
Here are the "gotchas", copied from Scott's blog:
1) If you are running Windows Vista you should make sure you have Vista SP1 installed before trying to install .NET 3.5 SP1 Beta. There are some setup issues with .NET 3.5 SP1 when running on the Vista RTM release. These issues will be fixed for the final .NET 3.5 SP1 release - until then please make sure to have Vista SP1 installed before trying to install .NET 3.5 SP1 beta.
2) If you have installed the VS 2008 Tools for Silverlight 2 Beta1 package on your machine, you must uninstall it - as well as uninstall the KB949325 update for VS 2008 - before installing VS 2008 SP1 Beta (otherwise you will get a setup failure). You can find more details on the exact steps to follow here (note: you must uninstall two separate things). It is fine to have the Silverlight 2 runtime on your machine with .NET 3.5 SP1 - the component that needs to be uninstalled is the VS 2008 Tools for Silverlight 2 package. We will release an updated VS 2008 Tools for Silverlight package in a few weeks that works with the VS 2008 SP1 beta.
3) There is a change in behavior in the .NET 3.5 SP1 beta that causes a problem with the shipping versions of Expression Blend. This behavior change is being reverted for the final .NET 3.5 SP1 release, at which time all versions of Blend will have no problems running. Until then, you need to download this recently updated version of Blend 2.5 to work around this issue.
I wouldn't install this version on my primary development system, but I might install it on a secondary development system after doing a full back-up.
To beta, or not to beta? Maybe both.
Posted by Martin Heller on May 13, 2008 11:37 AM
May 06, 2008 | Comments: (0)
Backbase, "The Ajax Company," announced today that it officially supports Adobe AIR in its development environment. This was implicit in last month's announcement of Version 4.2, but now it's explicit.
Here's the full release:
Backbase Enterprise Ajax Now Supports Adobe AIR
Allows deployment of Ajax based Web applications on the desktop
SAN MATEO, Calif., May 6th, 2008. Today, Backbase, The Ajax Company™, adds official support for Adobe® AIR™, a new runtime environment from Adobe Systems for deploying rich Internet applications (RIAs). This integration lets applications built on Backbase Enterprise Ajax run as applications on the desktop across various operating systems.
Applications created with Backbase Enterprise Ajax and deployed on Adobe AIR can access desktop file systems, clipboards, drag and drop events, and system tray/notifications. They can store information locally and operate offline. The combination of Backbase Enterprise Ajax and Adobe AIR opens up new opportunities for web application developers to extend their Ajax solutions to the desktop.
Developers will also benefit from the new integration because they can now use a single platform — Backbase Enterprise Ajax — to build both online and desktop applications. “Now developers can use both their Ajax skills and Web technologies like HTML and Ajax to develop desktop applications,” says Michel Gerin, Backbase VP of Marketing.
Backbase Enterprise Ajax delivers an end-to-end solution for designing, developing and deploying business critical Ajax based RIAs. With an intuitive interface, easy-to-use Ajax tags, and an extensive library of widgets, Backbase increases developer productivity, reduces lead-time for Ajax projects, and leverages existing IT investments.
Applications built and deployed with Backbase Enterprise Ajax and Adobe AIR deliver the best of both worlds. Backbase Enterprise Ajax delivers the features of browser-based RIAs plus speed of development and ease of use. Adobe AIR adds desktop functionality like reading and writing local files, integrating with other applications on an end-user’s computer, and maintaining local data storage on the desktop.
“Applications on Adobe AIR combine the power of local resources with the reach of the Web,” said Robert Christensen, Adobe AIR senior product manager at Adobe. “The union of Backbase Enterprise Ajax with Adobe AIR empowers Ajax developers to use their existing skills and code to build responsive, highly engaging applications on the desktop.”
“The benefits are great” says Gerin. “Enterprise developers and ISVs can boost productivity, extend their market reach, enhance customer satisfaction, improve customer retention, lower costs, and increase profits.”
Best practices and a sample application using Enterprise Ajax with Adobe Air are available on the Backbase Developer Network at: http://www.backbase.com/adobe-air
About Backbase
Backbase, Inc, The Ajax CompanyTM, is the leading provider of enterprise software for creating Ajax-based Rich Internet Applications (RIAs). Medium to large enterprises and independent software vendors use Backbase to enhance the usability of their Web applications, migrate fat client applications to the Web, deliver next-generation online self-service applications, and create enterprise mashups. Founded in 2003, Backbase is headquartered in San Mateo, California, USA. Additional information is available at www.backbase.com .
Posted by Martin Heller on May 6, 2008 08:56 AM
April 30, 2008 | Comments: (0)
Ajax Web suite boosts customer interactions
Last week at the Web 2.0 Expo, Ajax framework vendor Backbase introduced a new application suite called Customer Engagement 2.0. As far as I can tell, the 2.0 in the name has nothing to do with the version, as this is all new; it has everything to do with the suite being about Web 2.0, meaning Ajax and Web-based interactivity. The applications are built on top of Backbase Enterprise Ajax.
According to the company, Backbase’s Customer Engagement 2.0
"delivers a comprehensive Suite of Rich Applications that brings customer facing web applications to the next level. Customer Engagement 2.0 helps companies create, manage, and deliver online applications more effectively, so they can truly interact and connect with their customers. Customer Engagement 2.0 is about building a strong connection that drives purchase decisions and stimulates active participation. Engaged customers are one of the biggest assets a company or organization can have in today's competitive marketplace."
The suite has four components: a dashboard or portal presentation tier for mashup applications, including existing widgets and widgets built with the Backbase Enterprise Ajax framework; a forms presentation tier for user-friendly Web applications requiring data capture; a co-browse application; and a chat application.
The suite is still in beta, and the products will also be available separately. There is additional information on the company Web site, and the company would be happy to offer in-depth demos.
Posted by Martin Heller on April 30, 2008 08:18 AM
April 16, 2008 | Comments: (0)
New Backbase version improves Ajax speed, features
Backbase introduced Enterprise Ajax 4.2 today. According to the company, the new framework version offers developers more technologies, allowing for choices between rich and lightweight Ajax functionality, between CSS and XPath, between JavaScript and tag-based development, between JSON and XML, between native widgets and 3rd party widgets and between online and offline RIAs.
The principal improvements to this version are:
- New hierarchical data binding
- New Data Services module
- Support for lightweight Ajax
- New and improved widgets
- Performance enhancements
A more complete discussion of the new features can be found in Jep Castelein's blog. The offline RIA feature is basically support for Adobe AIR (see sample at left). One of the more ambitious new widgets is a Rich Text Editor.
Speed improvements have been made in all three phases of Ajax operation: load, build, and runtime. The Enterprise Ajax 4.2 product has also been tested against beta 1 of Internet Explorer 8, Opera 9.5 beta, and nightly builds of Safari 3 and Firefox 3.
A Community License for development and deployment on up to 2 server-CPUs is free; this version can be downloaded today. A commercial license is available to businesses needing more CPUs or professional support and software maintenance. A JSF Edition (optimized for Java Server Faces) will be available next month.
Posted by Martin Heller on April 16, 2008 06:30 AM
March 22, 2008 | Comments: (0)
One of the sites for which I consult recently licensed a Flash component from a third party. Of course, the vendor wanted to restrict the component licensing to avoid having the component re-used by others.
So far, so good. But this site, being large and old, has many domains and subdomains. It would be bad enough if it were just sampledomain.com and www.sampledomain.com, but then there's staging.sampledomain.com for testing and www1.sampledomain.com for bypassing the load-balancing switch and weblog.sampledomain.com for blogs, plus a bunch of variants to protect against cybersquatters.
Would the vendor license the Flash component to *.sampledomain.com? No, that isn't the way they do things. Why don't we create a new subdomain special.sampledomain.com and use it to host the Flash component in the fixed directory they'd license?
That was fine with everyone, except that it didn't work: JavaScript running on www.sampledomain.com couldn't load a Flash control from special.domain.com. The vendor came up with a fix: add a crossdomain.xml file to the special.sampledomain.com root authorizing *.sampledomain.com.
That didn't work either. The next piece of the fix was to place the configuration XML file in the same directory as the Web page loading the Flash component instead of the same directory as the Flash component itself. Finally, the Flash component loaded, only it wouldn't return any information to the JavaScript of the calling page.
What was its problem? Our theory was that Flash thought it was being used for a cross-domain scripting attack. Thanks a bunch, Adobe.
The vendor provided a new license key that allowed www.sampledomain.com as well as special.sampledomain.com, which potentially fixed the problem for 90% of our users. The other 10%, however, would have gotten a message that said that that the component was unlicensed, and that they should report the problem to the webmaster.
That was too ugly to accept. As a temporary fix, I wrote some server-side code to check the SERVER_NAME variable and redirect the page to www.sampledomain.com if it didn't match. That worked, and although I considered it a hack we promoted the new pages to the production site.
Meanwhile, the vendor researched the problem and determined that there was no technical fix. Finally, they did what we had initially asked for: they created a new Flash component licensed to *.sampledomain.com.
It came in Friday after I'd gone home. I'll install it Monday, and change the server-side code to only redirect URLs that aren't in *.sampledomain.com.
Happy ending? I sure hope so.
Posted by Martin Heller on March 22, 2008 05:16 PM
December 14, 2007 | Comments: (0)
I've learned a lot of languages, both human and computer. When I learned Latin in High School, it mostly helped my English. When I learned German, I had both help and interference from my knowledge of Yiddish; ditto for when I learned Dutch. Similar things happened with Russian (college) and Chinese (grad school), although that wasn't quite the same mechanism: my brain would sometimes serve up a word from a different language than the one I was trying to speak.
As I mentioned Wednesday, there are some common constructions that have different meanings in the different languages that were inspired by C. The new object constructor isn't the only place where subtle errors can occur if you get confused.
On the other hand, learning Pascal back in the day mostly helped my Fortran. Learning many different assembly languages didn't seem to cause any interference: writing assembly language was such a painstaking process that I could usually remember what processor I was writing for at the time.
I hear from people who would rather write Java or C# than mess with JavaScript. They're the kind of people who like tools like GWT and Script# and Volta. I also hear from people who would much rather write JavaScript than Java or C#.
Do you program in more than one language? On balance, does already knowing one programming language help you to learn another, or do the languages interfere with each other and cause you to make errors? Do you find yourself preferring one language over another?
Discuss.
Posted by Martin Heller on December 14, 2007 08:18 AM
December 12, 2007 | Comments: (0)
Coding Tip: JavaScript isn't Java, C++, or C#, No Matter How it Looks
This memo just crossed my desk, from the CTO of one of the companies for which I consult. Caveat coder.
Looking at some of our JavaScript code it seems like the use of new Boolean() and new String() has been growing. This will get you into trouble. For example:
var b1 = new Boolean(false);
var b2 = false;if ( b1 ) {
// How the heck did I get here if x is false?
// Because Boolean objects are true in a logical context.
}
if ( b2 ) {
// As expected, we don't execute this code.
}
var s1 = new String("");
var s2 = "";if ( s1 ) {
// An empty string is supposed to be logically false too!
// But this is a String *object* so we get true.
}
if ( s2 ) {
// We never run this code, which is correct.
}There are almost no reasons to use the new operator to create a String, Boolean, or Number object, and plenty of reasons why you shouldn't. If you put any of those into a Session variable it can cause strange errors as well.
If you need to explicitly convert some type to another type, use its conversion operator:
var str = String(num);
var num = parseInt(string);
Posted by Martin Heller on December 12, 2007 12:04 PM
December 11, 2007 | Comments: (0)
SlickEdit is Nice for JavaScript, Too
I've mentioned before that I like SlickEdit for editing C++ code, because it's the only tool I've found that can reliably refactor C++. In the last couple of days I have found that it's also a really nice tool for editing JavaScript, both server-side ASP JavaScript and client-side JavaScript.
Most of the other programming and Web design tools I use treat JavaScript as so much plain text. I was very pleasantly surprised to find that SlickEdit's tagging gives me reasonably good word completion and function parameter information, even when the code is being tied together with server-side includes. The dynamic preview that shows me the definition of a function in another window when I'm working on a call to that function helps as well.
Of course, I want more. It's too bad that SlickEdit can't offer anything in the way of page design, and can't seem to work directly with files on sites that use the FrontPage extensions.
Posted by Martin Heller on December 11, 2007 09:31 AM
November 30, 2007 | Comments: (0)
Three New Products from the Bindows Folks
The Ajax developers at MB Technologies have been busy, and now have posted three new products on their Web site: a Bindows gauges library toolkit, BindowsFaces, and the Bindows 4.0 Beta.
The Bindows gauges library toolkit (of which some sample images are at left) is completely free, and comes with a gauge wizard and a free subset of the Bindows Ajax library. The actual gauges are done with vector graphics and are fast enough to be used for soft real-time displays. Try it out online yourself.
Did I mention that it's free?
The BindowsFaces library, as you might guess from the name, brings Bindows-based Ajax capabilities to Java through JSF. It's for Java Faces programmers who'd prefer not to get their hands dirty with JavaScript or go through a compilation step. According to Ran and Yoram Meriaz, who demonstrated these products for me prior to the launch, BindowsFaces "is better than GWT or Oracle ADF." Obviously, they're biased, but it does look interesting. They say that the technology used to create BindowsFaces could now be used to marry other server technologies to the Bindows client libraries. BindowsFaces is a new component of Bindows 4.0.
The Bindows 4.0 beta "probably makes Bindows the most advanced professional Ajax framework in the market," according to the Meriazes. Again, take that cum grano salis, but the primary design goal of Bindows 4.0 is to add the "ability to define a fully working application without writing a single line of JavaScript." To join the 4.0 beta program, contact sales@bindows.net.
Posted by Martin Heller on November 30, 2007 01:29 PM
October 08, 2007 | Comments: (0)
I spent most of the day Monday at ReMIX07 in Cambridge, MA. I got there a little late, just in time for Miguel de Icaza's Linux/Moonlight demos near the end of Brad Abrams' keynote. Fortunately, Brad has already blogged a summary of his whole talk: ReMix Boston Keynote thoughts. I can verify firsthand that he got a good reception.
I heard a good talk by Rocky Lhotka (a developer) and Tony Handley (a designer), both of Magenic, about how they collaborated on a WPF project. It was originally supposed to be a Silverlight project, but Silverlight 1.0 doesn't have a Text Box control, and the application requires a lot of text input.
After lunch, I had a good discussion with Ed Blankenship and Grant Hinkson of Infragistics about their collaboration on a WPF reference project, Tangerine. I also had some very interesting discussions during and after lunch with several designers about how they felt about what Microsoft had been showing them.
I want to digest all this before I draw any conclusions. More soon.
Posted by Martin Heller on October 8, 2007 02:55 PM
July 30, 2007 | Comments: (0)
A few weeks ago I mentioned Aptana RadRails and noted that, although I was able to download and install Aptana, I was unable to install the RadRails plugin on Windows XP SP2. I reported this directly to Aptana support, and they initially didn't know what could be wrong: the Aptana error log was not helpful.
About once a week, I updated Aptana and tried to install RadRails. Last week, finally, it worked.
My initial impression is that Aptana RadRails retains all the strengths that RadRails had in its previous incarnation, and is stronger still because of the JavaScript support provided by Aptana. I have to admit, however, that I'm not actively working on a Rails site right now: the Rails site I worked on last summer is in production with growing content, but it's stable and we're not adding features or changing the code.
I'd be interested in what other Rails developers think of Aptana RadRails. Leave a comment here, or email me at martin_heller@infoworld.com.
Posted by Martin Heller on July 30, 2007 08:25 AM
June 20, 2007 | Comments: (0)
I'm deep into the process of reviewing InfiView, a framework for building interactive and dynamic Web 2.0 maps and diagrams that is implemented on top of Bindows. I'll hold my comments for the review, but I thought you might be interested in the online demos: InfiView™ : Demos / Experience.
The Flight Browser demo (click on the picture at the left) is especially interesting, as it combines a live Google Map with an interactive InfiView annotation layer. Understanding this particular sample from the source code and documentation took some effort, as well as some queries to support, but I think I've got it now.
By the way, don't expect real airline routes from this demo. "The airline routes are drawn using SVG in Firefox and VML in Internet Explorer. Airports are taken from a collection of airport positions. The airline routes are created by randomly connecting pairs of airports."
Posted by Martin Heller on June 20, 2007 06:00 AM
June 06, 2007 | Comments: (0)
Google Gears: Standing the Smart Client on its Head
You may have noticed by now that I'm not the go to guy for breaking news; I'm more the guy who takes it apart and figures out what what it means for developers. Even if I wasn't crazy busy last week when Google Gears was announced, and then away for a long weekend for my college reunion, it still would have taken me awhile to explore it enough to talk about it.
I see Google Gears as a Smart Client stood on its head. What Microsoft calls a Smart Client is basically a desktop Windows application designed for intermittent connectivity to a server. Google Gears is basically a browser application designed for intermittent connectivity to a server. In both cases, you get full functionality when you're connected, and may have reduced functionality when you're disconnected. A Smart Client application is likely to have a richer interface and better performance than a Google Gears application, but it's also likely to require more work to develop the Smart Client.
Google Gears is implemented as a browser add-on for Windows and Macintosh computers. In Internet Explorer, it installs as an ActiveX control, a Browser Helper Object (BHO), and a Browser Extension. In Firefox, it installs as a Firefox extension. It displays a menu item for settings in both browsers.
Gears has three major modules that you can call from JavaScript: LocalServer, Database, and WorkerPool. LocalServer gives you a local cache for resources that you'd otherwise serve from the Internet. Database gives you a local instance of SQLite with a full-text search extension. WorkerPool lets you run JavaScript in a separate worker process so that it doesn't block the UI. A fourth module, the Factory, is used to instantiate all the other Google Gears objects.
Now, if you're the sort of person who thinks that ActiveX controls, Java applets, and other forms of "mobile code" are a security risk, then you should avoid Google Gears as well: it's just another ActiveX control and BHO. There is a certain amount of protection built into the system: for example, Gears does ask for opt-in permission before it lets a site write to your local hard disk. It also implements a same origin policy. But it can't possibly have industrial-strength security, and I suspect that you shouldn't use it for sensitive information without additional defensive layers of security.
The bottom line: Google Gears looks like a reasonable way for a developer to turn a pure Web application into a browser application that can also run disconnected from the Web. It's clearly at a beta level, but in my brief examination it seems to be fairly solid.
Posted by Martin Heller on June 6, 2007 06:00 AM
May 18, 2007 | Comments: (0)
John Montgomery is an old friend who is currently at Microsoft. He has alluded to working on a project codenamed "Tuscany" in his blog, but has been quiet about what it actually is, until this morning.
Welcome to Popfly demonstrates the technology.
The Genesis of Popfly or What I've Been Doing for the Last Year explains what Popfly is and how it came about.
Why I Think Popfly is Cool gives John's top-ten list.
And, the Popfly Alpha is at http://www.popfly.ms/.
The short summary is that Popfly is an easy way to build and share mashups, gadgets, Web pages, and applications. It requires Microsoft SIlverlight 1.0 Beta, which is available to anyone, but Popfly itself is currently in private alpha. I have sent my request to join in through the normal mechanism (by trying to log in at the Popfly home page), but haven't yet gotten access.
I'll let you know more when I have gotten my hands on it.
Posted by Martin Heller on May 18, 2007 11:56 AM
May 11, 2007 | Comments: (0)
Silverlight Examples that Actually Work
When I posted about the book Getting Started with Silverlight last Friday, I made the incorrect assumption that the Silverlight examples mentioned in Shawn's book would work. Unfortunately, some of them were for a previous version of Silverlight, and Microsoft made breaking changes for the beta release. Oops.
.jpg)
In fact, the only Silverlight samples I have found that actually do work are the SDK samples listed on the MSDN Silverlight Dev Center page, the samples listed on the Silverlight home page, and the samples in the Silverlight community gallery. There is quite a bit of overlap between the Dev Center and the gallery, by the way, although that should change as more people contribute to the gallery.
Scott Guthrie has posted a long blog entry that covers the Silverlight development plan for 1.0 and 1.1, and talks about the .NET Dynamic Language Runtime (DLR). Scott also includes links to a lot more content: MIX talks, an interview, some video tutorials, and a poster.
Also, Rob Unoki has posted a tantalizing blog entry about Silverlight and the .NET Compact Framework. Would you believe Silverlight on a smart phone?
Posted by Martin Heller on May 11, 2007 06:00 AM
May 04, 2007 | Comments: (0)
Getting Started with Silverlight
Shawn Wildermuth, who wrote the excellent book Pragmatic ADO.NET (Addison-Wesley, 2003, 357 pp, $44.99, ISBN 0-201-74568-2), has been working closely with the Silverlight team at Microsoft. Just in time for the release of Silverlight at MIX07, O'Reilly has released Shawn's "short cut" on Silverlight electronically on the Web.
Getting Started with Silverlight (O'Reilly, 2007, 62 pp, $9.99, ISBN 0-596-51068-3) "introduces you to Silverlight's key features and shows you how to tap into its functionality to spice up your HTML and ASP.NET pages." The book is written to the February Silverlight CTP, which was a preview of Silverlight 1.0, so it covers programming Silverlight with JavaScript, but not programming Silverlight with managed code or using extensible controls.
I'm a fan of Shawn's technical writing, and Getting Started with Silverlight confirms my high opinion. Shawn has a good feeling for what you need to know, and how to present it clearly.
Here's the table of contents:
Why Silverlight? ............................ 2
What Is Silverlight? ........................ 3
Working with Silverlight XAML........... 7
Comparing Silverlight and WPF......... 17
Development Model ..................... 19
Using Silverlight with ASP.NET ........ 42
Using Tools ................................ 54
Finding Examples in the World ........ 61
Summary ................................... 61
For Further Reading ..................... 62
Here's a very short excerpt:
Finding Examples in the World
Beyond the resources that are available from the Silverlight DevCenter (http://msdn.microsoft.com/silverlight), there are a number of very good examples of Silverlight working on the Web today. They include:
• Dr. Greenthumb (a Silverlight Game): http://labs.blitzagency.com/?p=50 (http://tinysells.com/82)
• Silverlight Scratchpad: http://notstatic.com/archives/65 (http://tinysells.com/83)
• Silverlight Egg Timer: http://blogs.interfacett.com/simon/2006/12/11/wpfe-egg-timer.html (http://tinysells.com/84)
Posted by Martin Heller on May 4, 2007 07:00 AM
May 01, 2007 | Comments: (0)
At Microsoft's MIX07 conference, the keynote was mostly about Silverlight. What is Silverlight, and why should we care about it?
Officially, Silverlight "is a cross-browser, cross-platform plug-in for delivering the next generation of .NET based media experiences and rich interactive applications for the Web." In other words, it's a browser plug-in that enables a subset of the capabilities of the Windows Presentation Foundation over the Web. It was previously called WPF/E.
From the user's viewpoint, to enable Silverlight, you download and install a 1.4 MB plugin, and then you can view Silverlight content in IE, Firefox or Safari. From a developer's viewpoint, once you have the tools installed, you instantiate Silverlight by including some JavaScript helper files from your HTML, and then you can display and script XAML files in your Web pages.
Microsoft cites four key benefits of Silverlight:
1. Compelling cross-platform user experiences
2. Flexible Programming Model with Collaboration Tools
3. High-quality media, low-cost delivery
4. Connected to data, servers, and services
Two versions of Silverlight were announced Monday: the V1.0 beta, and the V1.1 Alpha. What's the difference? The diagram below summarizes what's in each release:
.png)
Again, why should we care? If you're a cynic, Silverlight just looks like Microsoft's answer to Flash. But if you like the idea of XAML-based display, or the idea of programming in managed code, then Silverlight offers a compelling model for programming the Web client.
Posted by Martin Heller on May 1, 2007 12:38 PM
April 27, 2007 | Comments: (0)
Two books live on my desk when I'm working on Web pages with client-side scripting: David Flanagan's JavaScript: The Definitive Guide, 5th Edition (O'Reilly, 2006, 994 pp., $49.99, ISBN 978-0-596-10199-2), and Danny Goodman's Dynamic HTML: The Definitive Reference, 3rd Edition (O'Reilly, 2007, 1307 pp., $59.99, ISBN 978-0-596-52740-2).
They're both huge books, and their content overlaps substantially, but they both keep earning their spots. I reach for Flanagan if the question in my mind is primarily about some aspect of JavaScript, and for Goodman if the question is primarily about some aspect of HTML, XHTML, CSS or the Document Object Model.
Flanagan has two tutorial sections. Part I explains core JavaScript, and Part II explains browser DOM scripting. I read them once: they were nice. I don't think I have looked at them again since the latest edition of the book arrived.
It's the reference sections of the two books that I 
return to over and over. Flanagan Part III is a complete reference to core JavaScript 1.5 and ECMAScript version 3. Flanagan Part IV is a reference for client-side JavaScript. It's notoriously difficult to write sophisticated cross-browser JavaScript: Flanagan helps you figure out what to do when, for example, an area is outside the DOM Level 2 standard and implemented differently in IE and Firefox.
Goodman Part I is a Dynamic HTML reference, with five subsections: HTML and XHTML, DOM, Events, Style Sheets, and core JavaScript. Part II has cross references to attributes, properties, methods and events. Part III has tables of color names, HTML character entities, keyboard event character values, editable content commands, HTML/XHTML DTD support, and a cross reference to Mozilla-based browser version numbers.
Posted by Martin Heller on April 27, 2007 06:00 AM
April 09, 2007 | Comments: (0)
Detecting IE7 Protected Mode, Take 2
On Friday, I posted one method that an ActiveX control or IE toolbar can use to determine whether IE 7 is running in Protected Mode. After thinking about this some more, I realized that there are many other ways to accomplish the same goal.
Much of the primary information on IE7 Protected Mode can be found in an MSDN article, Understanding and Working in Protected Mode Internet Explorer. That article mentions the IEIsProtectedModeProcess function I talked about on Friday, but it also explains some of the other characteristics of Protected Mode and Vista UAC mode. For example, Protected Mode modifies IE's environment, so that the Windows GetTempPath() API will return the value of %Temp%\Low rather than the value of %Temp% when Protected Mode is active.
Later in the article, the authors give a code sample, ShowProcessIntegrityLevel(), shown below, that looks at the current process token and determines its integrity level. The integrity level actually tells us more than just whether Protected Mode is enabled.
If we are in Protected Mode, the process integrity will be Low; if we are running as a normal user or running in UAC mode, the process integrity will be Medium; and if we are running as Administrator, the process integrity will be High. An ActiveX control that wants to expose the integrity level to JavaScript through a COM interface could run a variation on this code and return a short integer that is 0 for Low Integrity (Protected Mode), 1 for Medium Integrity (Normal User/UAC mode), and 2 for High Integrity (Administrator).
I really wish this was already built into IE 7, but it'll do.
void ShowProcessIntegrityLevel() { HANDLE hToken; HANDLE hProcess; DWORD dwLengthNeeded; DWORD dwError = ERROR_SUCCESS; PTOKEN_MANDATORY_LABEL pTIL = NULL; LPWSTR pStringSid; DWORD dwIntegrityLevel; hProcess = GetCurrentProcess(); if (OpenProcessToken(hProcess, TOKEN_QUERY | TOKEN_QUERY_SOURCE, &hToken)) { // Get the Integrity level. if (!GetTokenInformation(hToken, TokenIntegrityLevel, NULL, 0, &dwLengthNeeded)) { dwError = GetLastError(); if (dwError == ERROR_INSUFFICIENT_BUFFER) { pTIL = (PTOKEN_MANDATORY_LABEL)LocalAlloc(0, dwLengthNeeded); if (pTIL != NULL) { if (GetTokenInformation(hToken, TokenIntegrityLevel, pTIL, dwLengthNeeded, &dwLengthNeeded)) { dwIntegrityLevel = *GetSidSubAuthority(pTIL->Label.Sid, (DWORD)(UCHAR)(*GetSidSubAuthorityCount(pTIL->Label.Sid)-1)); if (dwIntegrityLevel < SECURITY_MANDATORY_MEDIUM_RID) { // Low Integrity wprintf(L"Low Process"); } else if (dwIntegrityLevel >= SECURITY_MANDATORY_MEDIUM_RID && dwIntegrityLevel < SECURITY_MANDATORY_HIGH_RID) { // Medium Integrity wprintf(L"Medium Process"); } else if (dwIntegrityLevel >= SECURITY_MANDATORY_HIGH_RID) { // High Integrity wprintf(L"High Integrity Process"); } } LocalFree(pTIL); } } } CloseHandle(hToken); } }
Posted by Martin Heller on April 9, 2007 06:00 AM
April 06, 2007 | Comments: (0)
I have been wondering if there's a way that a Web page can tell if it's running in IE7 Protected Mode on Windows Vista. It turns out that yes, there is, but it's not as simple as I'd like.
My hope was that there would be flags that a page could check from JavaScript: ideally, a flag that says either
- "I'm in Protected Mode"
- "I've got normal privilege", or
- "I'm running as Administrator".
I didn't find anything like that, even though IE 7 displays the Protected Mode status to the user. What I did find is an IE API, the IEIsProtectedModeProcess Function, which can tell a caller whether or not IE is a Protected Mode process by setting a BOOL parameter TRUE or FALSE.
It's in ieframe.dll, but only for IE 7 or later. And it is only supported in Microsoft Windows Vista or later. If you call it from earlier versions of Microsoft Windows, this function returns E_NOTIMPL as its HRESULT.
So, if I have this right, I could call this function from an ActiveX control or an IE toolbar, after first dynamically loading it from ieframe.dll. If I called it from an ActiveX control, then the ActiveX control could in turn expose a COM property to JavaScript. I know how to do that.
This seems like scratching your left ear with your right hand, doesn't it? But it should work.
Now I have to figure out how to safely tell if the IE process is running as Administrator. Somehow, I don't think trying to reformat the system drive would be an ideal test.
Posted by Martin Heller on April 6, 2007 06:00 AM
January 24, 2007 | Comments: (0)
As I mentioned on January 10th, I'm going through a stack of AJAX books. The first of the bunch is AJAX: Creating Web Pages with Asynchronous JavaScript and XML, by Edmond Woychowsky (Prentice-Hall, 2006, $44.99, ISBN 0-13-227267-9).
In general, this is a well-written book, with a lot of useful information to present. On the other hand, it's written with an attitude: some will find it refreshing or amusing, and others will find it annoying. I started off in the former camp, and ended up in the latter.
Woychowsky starts by discussing Web pages and their taxonomy, introduces Ajax concepts, explains HTML, XHTML, and CSS, and offers a brief introduction to JavaScript. You can skip all that if you already know the material. Then he offers a chapter that discusses "Ajax Using HTML and JavaScript", which is something quite primitive that wouldn't normally be called Ajax; he does it from the ground up in 46 pages, and manages to throw in MySQL stored procedures. Don't ask.
Then it's off to a whirlwind tour of XML, and then on to 25 pages on XMLHttpRequest, which is a key component of Ajax as we know it. Then, finally, he's ready to talk about traditional Ajax, using XML and XMLHttpRequest. After that, he wants to talks about Ajax using XSLT, because he's a self-described XSLT geek, so he first has to wander off into XPath and XSLT-land; again, skip a couple of chapters if you already know that stuff. Near the end of the journey, we detour to Ruby on Rails, and finally get to its Ajax support; I'm not completely sure why Woychowsky bothered with that particular side trip.
Woychowsky's book is part of Bruce Perens' Open Source Series, so maybe I should cut Woychowsky some slack about the gratuitous slurs against Microsoft in his book. On the other hand, some of them are inaccurate and misleading: for example, when he discusses ATLAS, which was the temporary codename for what is now called ASP.NET AJAX, he wanders off into a rant about "not invented here" syndrome, and then explains that he can't run ATLAS because he doesn't have $549 for Visual Studio 2005 Professional. Excuse me, Edmond: Visual Web Developer 2005 Express Edition is free for the downloading, and works just fine with ASP.NET AJAX.
Woychowsky presents his own home-grown Ajax library in Chapter 12, "Better Living Through Code Reuse." It's not bad at all: you could do a lot worse. And you could easily modify it to your own devices and desires. (The sample code is here, but you'll understand it better if you have the book.)
This is definitely not a book about using commercial Ajax libraries, or even free Ajax libraries, although Woychowsky likes the free Sarissa library and gives it 5 pages. On the other hand, the book is a good foundation for doing Ajax development yourself, and once you know how to do that you can intelligently examine the construction of the Ajax library your management wants you to evaluate, to see if it actually makes sense for your application.
Posted by Martin Heller on January 24, 2007 06:00 AM
January 10, 2007 | Comments: (0)
My so-called office is getting smaller and smaller, because my books no longer fit on the shelves, and I don't really have room for more shelves. I'm making some progress clearing out old stuff, but it's hard because I still use some books from 20 and even 30 years ago. It's actually easier for me to discard old computers and software than old books. This was to my benefit a couple of years ago when I was working on an intellectual property case that hinged on computer technology from the 1980s, but that's another story entirely.
Anyway, the newer books are in piles on the floor; the tallest pile is about 4 feet high. One of the shortest piles contains half a dozen books about AJAX:
- AJAX: Creating Web Pages with Asynchronous JavaScript and XML, Edmond Woychowsky, Prentice-Hall, 2006, $44.99, ISBN 0-13-227267-9
- Ajax Design Patterns: Creating Web 2.0 Sites with Programming and Usability Patterns, Michael Mahemoff, O'Reilly, 2006, $44.99, ISBN 0-596-10180-5
- Ajax Hacks: Tips & Tools for Creating Responsive Web Sites, Bruce W. Perry, O'Reilly, 2006, $29.99, ISBN 0-596-10169-4
- Build Your Own Ajax Web Applications, Matthew Eernisse, SitePoint, 2006, $39.95, ISBN 0-9758419-4-7
- Pragmatic Ajax: A Web 2.0 Primer, Justin Gehtland, Ben Galbraith, and Dion Almaer, Pragmatic Bookshelf, 2006, $29.95, ISBN 0-9766940-8-5
- Understanding AJAX: Using JavaScript to Create Rich Internet Applications, Joshua Eichorn, Prentice-Hall, 2006, $39.99, ISBN 0-13-221635-3
Do you need any or all of these books? I'm not sure. I can only tell you what each book is about, once I've read them myself. Stay tuned.
Posted by Martin Heller on January 10, 2007 06:41 AM
January 08, 2007 | Comments: (0)
Subverting AJAX: Prototype Highjacking
One of the most interesting parts of the JavaScript language is the prototype property, which underpins the language's object-oriented inheritance. In JavaScript, functions are a specialized kind of object; every function (and indeed every JavaScript object) has a prototype property that refers to a predefined prototype object, which comes into play when the function is used as a constructor with the new operator.
Prototypes are not limited to user-defined classes. Even built-in JavaScript classes have prototype properties, and you can assign values to them.
This is extremely powerful. It is also extremely dangerous. Using prototyping, an attacker can hijack standard functions in a way that breaks security without causing any error message. Browsers try to prohibit this by dropping the prototype property for some of their internal functions, but there's a way around that protection.
At the 23rd Chaos Communication Congress, held at the end of December in Berlin, Stefano Di Paola and Giorgio Fedon gave a talk called Subverting AJAX (PDF), in which they explained exactly how to do this. Coupled with a cross-site scripting attack and a cleverly crafted phishing email, such an attack could turn an AJAX application into a keylogger with a man-in-the-middle attack strategy. Consider the following diagram, from Di Paola and Fedon's paper:
What's happening here is that the attacker has hijacked the browser's XMLHttpRequest object, and wrapped it with his own keylogging logic. How hard is this to do? Not very hard at all. The key code would be:
var xmlreqc=XMLHttpRequest;
XMLHttpRequest = function() {
this.xml = new xmlreqc();
return this;
}
This is fairly subtle, but it's devastating. XMLHttpRequest has been redefined to be a wrapper for itself. Any time a new instance of XMLHttpRequest is intended to be created in subsequent code, the wrapper method will be created instead. It now doesn't matter that the original XMLHttpRequest function didn't have a prototype property: the new one does.
Once the attacker has prototypes at his disposal, he can redefine key methods. For example, he can redefine the send method to sniff and/or modify the content, as shown in the figure above and the following code:
XMLHttpRequest.prototype.send = function (pay){
// Hijacked .send
sniff("Hijacked: "+pay); //log the original message
pay=HijackRequest(pay); //change the message
return this.xml.send(pay); //send it on
}
The classic response to this kind of exploit would be "disable JavaScript in your browser." Unfortunately, AJAX applications inherently require JavaScript, and most people really like the improved user experience of AJAX applications compared to conventional Web applications.
I don't have a good solution, other than constant vigilance on the part of every author and user of AJAX applications. We're back to "Don't talk to strangers," kids. In the words of the original CERT bulletin about cross-site scripting,
"users can gain some protection by being selective about how they initially visit a Web site. Typing addresses directly into the browser (or using securely stored local bookmarks) is likely to be the safest way of connecting to a site."
(Thanks and a tip of the hat to Roy M. Silvernail, who alerted me to this exploit.)
Posted by Martin Heller on January 8, 2007 10:24 AM
January 03, 2007 | Comments: (0)
In all the discussion of the difficulty of AJAX, the relative merits of the various free and commercial AJAX libraries, the AJAX support in control packages, and the AJAX support built into or added onto Web server technologies like Ruby on Rails and ASP.NET, it's easy to forget that AJAX is essentially a fairly simple idea. When you strip it down, AJAX is a way of using JavaScript, CSS, the browser DOM, and the Microsoft XMLHTTP interface to make asynchronous calls to the server to update selected data.
Here's some sample code in JavaScript, which Microsoft provided years ago to illustrate how to use XMLHTTP:
var xmlHttpReq = new ActiveXObject("MSXML2.XMLHTTP.3.0");
xmlHttpReq.open("GET", "http://localhost/books.xml", false);
xmlHttpReq.send();
WScript.Echo(xmlHttpReq.responseText);
How hard is that?
Yes, yes, I know that the object is now called "Microsoft.XMLHTTP", and that the last line of the sample is code for the Windows Scripting host, and won't run on a Web site. Instead, you would use dynamic HTML to update a region on the page. You'd have a named DIV, and you'd set the DIV's innerHTML element to the new content.
Again, how hard is that?
Now, is there more to it? Of course: I'm oversimplifying, or there wouldn't be any good reason for all those AJAX libraries. The minute you try to make an AJAX application work on multiple browsers and/or multiple operating systems, you run into compatibility issues. You might want to use a different data format than XML. You might want to build additional layers on AJAX to implement special effects, like the ones in Gmail and Flickr that helped the AJAX technology take off. The list of what you might want to do is almost as long as the list of solutions.
But enough about what I think. What do you think?
Posted by Martin Heller on January 3, 2007 06:49 AM
TOP STORIES
ADDITIONAL RESOURCES
- Remote Access: Maintain Security and Decrease the Burden on IT
- Beyond AntiVirus: Symantec Endpoint Protection
- What Every Enterprise Needs to Know About VDI
- Monitor the core and troubleshoot the access layer
- Help Simplify Virtualization
- Solution for Open Virtualization Provides Server Consolidation
