Blog to discuss Midnight Coders products features, ideas and trends in development of Rich Internet Applications

Monday, October 30, 2006

WebORB for PHP 1.3 (now with Flex security)

WebORB for PHP v.1.3 is now generally available. The most important feature in the release is the support for the RemoteObject.setCredentials API. WebORB includes a reference implementation of a basic security manager so in a nutshell you get a complete solution. Before I delve into the details of how Flex security works with WebORB, a few words about our security model:

WebORB provides an extensible mechanism for restricting access to programming resources (remote classes and their methods). The product supports two security modes: open and closed. The open mode enables access to ALL classes deployed in the server. Access to specific classes can be restricted using weborb configuration file (/Weborb/weborb-config.xml). The closed mode disables access to ALL classes except for the ones with explicit access grants in the configuration file.

WebORB delegates authentication and authorization handling to handlers. The diagram below provides an overview of how WebORB handles authentication and authorization.



Upon receipts of an authentication request, WebORB delegates to the preconfigured authentication handler to check user credentials and establish their validity. The box represented as the "Security Domain" can be any store with information about user credentials (a database, ACL configuration file, remote single sign-on service, etc). If the credentials are valid a record is made in the session. Subsequent invocations for the secured services must be passed by a preconfigured authorization handler. The handler checks if the logged on user is authorized to access the service. If the check passes, the invocation proceeds, otherwise an error is generated.

The default implementation of authentication and authorization handlers in WebORB is rather basic. It is based on a collection of user names, passwords and assigned roles captured in the element of weborb-config.xml. Here's an example of an ACL record for a user:

<acl>
 <user>
  <name>admin</name>
  <password>changeme</password>
  <role>administrator</role>
 </user>
</acl>

Now that the "administrator" role name is assigned to a user with the admin/changeme credentials, a service can be secured using one of the following two approaches:

  1. Using Flex's remoting-config.xml

    \Weborb\WEB-INF\flex\remoting-config.xml contains a list of destinations (PHP classes) exposed to Flex clients. In order to secure a destination use the format shown below:

    <destination id="SecureTest">
     <properties>
      <source>HelloWorld</source>
     </properties>
     <security>
      <security-constraint>
       <auth-method>Custom</auth-method>
       <roles>
        <role>administrator</role>
       </roles>
      </security-constraint>
     </security>
    </destination>

    When WebORB receives an invocation request for the HelloWorld class, it will delegate to AuthorizationHandler to make sure the currently logged in user has the "administrator" role.

  2. Using weborb configuration file - \Weborb\weborb-config.xml:

    Securing a class in WebORB config is a 2 step process:
    1. An access constraint is defined as shown below:

    <access-constraint action="grant">
     <name>OnlyAdmin</name>
     <role>administrator</role>
    </access-constraint>

    2. The constraint is applied to a class (or a method) to restrict access as shown below:

    <secure-resource>
     <resource>HelloWorld</resource>
     <constraint-name>OnlyAdmin</constraint-name>
    </secure-resource>

    This will produce the same result as restricting access to HelloWorld using the first approach.
Once the server side is configured, the client code is easy. Create an instance of RemoteObject (or use mx:RemoteObject mxml tag). In order to associate credentials with the remote object instance (technically, the credentials are assigned to the entire channelset), invoke the setCredentials method as shown below:

var ro:RemoteObject = new RemoteObject( "SecureTest" );
ro.setCredentials( "admin", "changeme" );

Any invocation at this point will require authorization of the user identified by the provided credentials.

WebORB for PHP 1.3 includes an example demonstrating security in action. Just run the example at http://localhost/Examples/FlexRemoting/main.html and click on the "Run Secure Invocation" button.

posted by Mark Piller at 3:50 PM | 5 Comments  

Sunday, October 29, 2006

Accessing Ruby's ActiveRecords from Flex

Daniel Wanja at OnRails.org posted a fantastic tutorial describing how to access Ruby's ActiveRecords from a Flex application. This is a must read if you're into Ruby and Flex.

posted by Mark Piller at 11:40 PM | 0 Comments  

Tuesday, October 24, 2006

Mindshare management: What Adobe could do next

Attending MAX has been a fantastic experience. Being here makes one realize how grand the opportunity Adobe has with Flex and Apollo. People familiar with Flx rave about it, its ease of use, and simplicity of development. However the number of people not familiar with Flex (based on the discussions I had here) is staggering, hence is my question: how can Adobe start winning the mindshare? Having developers mindshare directly translates to new applications written, which inherently effects the bottom line. Very few software development companies really mastered how to inject information about tools and products or just ideas into developer heads. Microsoft in particular knows how to do it really well. So what could Adobe do:
  1. Position Flex and Apollo as the focal point of the Adobe's 'development tools' product line. Right now these products are just one of many. For example, the both for Flex and Apollo at MAX is for some reason on the outskirts of the exhibition floor.
  2. Make the Apollo buzz more 'material' by releasing an early alpha or a preview of the product, let people experiment with it.
  3. Embrace other development platforms and make them equal from the backend support perspective. Exclusivity with Java is not a winning strategy.
  4. Stop comparing Flex with Ajax. The "Go Beyond Ajax" ads do not accomplish anything. I think comparing it with something like ASP.NET or WPF would be a lot more effective.
  5. Do grandiose marketing campaign. Remember Microsoft's tv ads for .NET? :)
  6. Get community portal going. Yes, there is flex.org, but its mostly a reference site with a bunch of [helpful] links, but not more than that.
  7. Engage development community with app development contests. Something like Flex Derby should be an ongoing contest with winners selected monthly or quaterly.
  8. Expose and standardize proprietary protocols: AMF0, AMF3, RTMP, etc.
I am sure there is more. If I can think of any additional ideas I will do a follow on post.

posted by Mark Piller at 3:04 PM | 7 Comments  

My MAXUP session - 3:15 today

If you are here at MAX and would like to see a demo of the new features in the upcoming WebORB Enterprise, come by for my session at 3:15 today. The MAXUP sessions are on the same level where the exhibition floor is (level 5).

posted by Mark Piller at 11:21 AM | 0 Comments  

Thursday, October 19, 2006

WebORB Enterprise (Flex Messaging for .NET) preview at MAXUP

If you are going to MAX and interested to see a preview of WebORB Enterprise make sure to stop by the MAXUP area. I will be reserving a spot to present on Monday and will post the exact time of my presentation then. I plan to demonstrate pub/sub messaging between Flex and .NET, support for SharedObjects in .NET and some other really cool stuff.

posted by Mark Piller at 8:56 PM | 0 Comments  

Monday, October 16, 2006

WebORB for .NET nightly builds

In preparation for the GA release of WebORB Professional Edition for .NET we will be making available nightly product builds on our interest group. If you are working with WebORB for .NET or looking into Flex Data Services integration with .NET, I highly recommend joining the group to get almost daily product updates. (the first one is coming up today).

posted by Mark Piller at 12:48 PM | 1 Comments  

Friday, October 13, 2006

Scoble on Adobe vs. Microsoft death match

Scoble posted his analysis on Adobe and Microsoft entering a death match. He completely misses Flex, but indirectly refers to Apollo:
I was over at Adobe yesterday and they have some major things coming next year that’ll play off of Adobe’s strengths and take the battle back to Redmond.
I am glad to see the attention this is getting. It will certainly help in promoting Flex even further. As a response to Microsoft's Visual Studio 2005 vs. Dreamweaver page, Adobe should put out just as detailed comparion between Flex/Apollo and Visual Studio, just to say "yes, we're here for a hardcore battle".

Update:
I went on to search what other people are saying on this subject. I noticed JD's post and honestly was surprised by his take on it. JD, I think it is absolutely a coming war. Developers have always been the cornerstone of Microsoft's strategy. Any Microsoft's product release is touted to developers first. Adobe is encroaching into Microsoft's territory; otherwise you would not see that VS vs. DW comparison. Obviously you do not speak for the entire Adobe, but your comment makes me realize that the overall view within Adobe on the forming battle field is different, sounds like you want to see it a peaceful place. This clearly explains why Adobe is so exclusively fascinated with Java. I hope the realization comes fairly soon that the more developers you get on board the bigger prize you are going to get.

posted by Mark Piller at 4:45 AM | 4 Comments  

Wednesday, October 11, 2006

Going to Adobe MAX 2006

Midnight coders are going to the city that never sleeps [imagine the possibilities :)]!
I just booked my flight and a hotel and now all set to go to MAX in a few weeks. I was asked at least by two dozen of people if I am going to be there. The original plan was not to go since we could not get any speaking spots and reserving a vendor's booth is way too expensive. I also hope to present the latest feature set in WebORB Enterprise at the MAXUP. See you in Vegas!

posted by Mark Piller at 10:53 PM | 0 Comments  

WebORB and FDS, friends or foes?

I keep running into the questions about WebORB and its relationship with FDS. Is WebORB a replacement for FDS? Is it an add-on? Is it a complementary technology to what Adobe is doing? I'd like to take a moment to address these and other related questions.
  1. First off, right from the get go we said we do not plan to add Flex integration into WebORB for Java. That edition of the product supports Ajax and Flash Remoting (AMF0) and does not offer ANY kind of Flex integration. So from the perspective of our Java offering, it should not be even on the radar for anyone developing with Flex.

  2. We offer Flex integration for the following platforms and development environments: .NET, PHP and Ruby on Rails. Now if you spend 2 minutes on the Adobe's website (you are welcome to take more time if you want to), it will be quite clear that Adobe's Flex offering, or to be precise Adobe's FDS product offering is available only for Java. As a result, if you are a .NET, RoR or PHP developer, the most you can do with FDS is to use WebServices or plain HTTP requests to integrate your backend code with the Flex clients.

    WebORB is a technology that fills that gap. It is not a replacement, since it is physically impossible to replace void (if you figure out how to do that, you might as well claim the Nobel prize). So to put a label on it, our product complements Adobe's product offering by extending it to other platforms. Any .NET, RoR or PHP developer using WebORB can get all the benefits of Flex Remoting, Data Management and soon Messaging for their native environments.

  3. How does WebORB integrate with Flex then? Our goal is deliver the same kind of developer experience to the .NET, PHP and Ruby developers as one would have with the Java implementation. To us Flex is a standard. Just like SOAP is with a variety of implementations from Microsoft, BEA, Sun, etc. As a result, WebORB is an implementation of such a standard. You will find the same development process, same configuration files, same APIs, same on-the-wire protocol, etc.
The bottom line is: WebORB is NOT a replacement for FDS. Java folks develop with FDS, everyone else develops with WebORB.

posted by Mark Piller at 4:38 PM | 4 Comments  

Tuesday, October 10, 2006

WebORB Data Services for Flex in .NET status update

It's been a while since I wrote anything about WebORB for .NET. We are making excellent progress with the WebORB Enterprise Edition. The new edition will include full Flex integration (Remoting, Data Management and Messaging). Here's what will happen with the current release:

WebORB Professional 2.1 Beta 5 for .NET will go into GA around the end of October or early November at the latest. The GA release will be known as WebORB Professional Edition 3.0 and will contain production quality support for Flash and Flex Remoting (AMF0 and AMF3). Around the same time we will release WebORB Enterprise Edition 3.0 Beta 1. The EE will have all the same features of the Professional Edition as well as Data Management and Messaging. The goal is to release Enterprise Edition into GA by the end of the year.

WebORB Enterprise looks really cool. In addition to very elegant integration with .NET and makes it very easy to create dynamic, real-time , clustered messaging applications. We integrated the product with MSMQ which became a backbone for all WebORB's real-time messaging. We hope the wait is going to be worthwhile for anyone waiting on the release.

To avoid any terminology-clash between WebORB and FDS, the unified term for all the Flex integration in WebORB is going to be "WebORB Data Services for Flex". We want to avoid labeling WebORB as "FDS for .NET" or anything like that, since FDS is a product by Adobe, so we need to make a clear distinction. I am very interested to know what you think about it.

posted by Mark Piller at 8:03 PM | 2 Comments  

Monday, October 09, 2006

Oi vai, Coach Wei!

John Dowdell has a pretty good post in response to NexaWeb's CTO article on Sys-con. I agree with most everything JD had to say, but thought I'd throw my $0.02 as well.

1. I personally hate when people start throwing around labels like "open-standards", "standards-compliant" card without any supporting substance. First off, there are de jure and de facto standards. If something came out of W3C, Oasis or any other standards body that's your de jure. If millions of people adopted a technology or if ~95% of computers in the world run a non-W3C approved technology, that's a de facto (read Flash plugin here).

2. I checked NexaWeb's examples on their site to see how "standards-compliant" they are, and guess what: with the Java plugin disabled, here's the message I get for all but one of their examples (the one that works is a simple Google Maps-based app):

You don't have JAVA plugin enabled or installed, click here for more info.

With that in mind, does the following conclusion in Coach's article hold any water??:
"Ajax is open, standard-based and web-native. Flash is not open standards-based. Flash content is not native web content and has a lot of interoperability issues with other web technologies"
If you do not mind me asking, does Java Applet programming constitute as Ajax development? Isn't NexaWeb using a plugin which is a lot more closed-source than the Flash plugin? How "web native" is Java applet-based content?

3. I am sick and tired to hear those baseless attacks on Flash and even more meaningless comparisons between Flash and Ajax ( I really should say Flex and Ajax). I'd like to see Adobe taking a firmer position on this subject. I think the policy of trying to satisfy everyone's interests will not produce the desired results. Flex is NOT a technology complementary to Ajax. It kicks Ajax's butt. The technologies are beyond any comparison. If you care to compare, you might as well write an analysis on how space shuttle technologically differs from Model-T.

I have done a number of Ajax-based projects and the experience of tweaking JavaScript to make it work the same in all browsers is nauseating to say the least. Parsing or composing XML using JavaScript is completely retarded. Come on, it is 21st century and you're coding XML by hand?? using JavaScript?? I'd rather get paid doing something more enjoyable (like creating WebORB-based apps, he he he :) )

posted by Mark Piller at 6:28 AM | 3 Comments  

Wednesday, October 04, 2006

My "Flex for the Enterprise" presentation at AjaxWorld'06

I had an opportunity to speak at the AjaxWorld Conference in Santa Clara yesterday. The conference is for the Ajax developers, but also had a separate track dedicated to Flex. For some reason my session was not part of the Flex track, but instead was placed into the "Key Issues" track category. Go figure!

I anticipated an adversary audience, but was pleasantly surprised to see people reacting very positively to my delivery of Flex. Sys-con recorded the session, so the video should be available some time in the near future (I assume).

I hear a lot of folks talking about Flex and Ajax coexisting in the same enterprise, moreover the main marketing push by Adobe is to position Flex as a complementary technology. In my mind I still do not understand how Flex can be positioned that way. It is either one or the other. If you're building the next MySpace or Netvibes, go with Ajax. Your users will demand high level of customization and it will be much easier to accomplish it with DHTML/JavaScript. However, if you want to build a cool management console, next generation order entry system or datacenter monitoring app, you will save a TON of time (read money) if you go with Flex.

You can download the slides for my presentation here.

posted by Mark Piller at 8:12 AM | 3 Comments