Open Web Application Security Project
The OWASP guidelines outline the top 10 security vulnerabilities in web applications and how to defend against them.
SOA Worst Practices
..and how to avoid them. There are undoubtedly many more, but these should help keep you honest if you think SOA is some kind of silver bullet.
Many thanks to bitpipe.
Business and Technical Benefits of AJAX Part 1
For the uninitiated (and I mean those of you who have been living in a cave in Outer Mongolia for the last 3 years), here is a Wikipedia’s definition of AJAX and here are some AJAX apps you can try right now from the comfort of your own browser. Here are some more – GoogleMail, del.icio.us, WordPress. Read, play, enjoy.
This is not an intro to AJAX / Web 2.0. Neither term describes any technology that’s particularly “new”. You could have built AJAX / Web 2.0 web sites in the 1990’s. It’s just that in the last few years the technologies that enable these applications have been re-discovered and given nice names. And thanks to some superb efforts by the likes of Google Labs, del.icio.us and Flickr, AJAX apps have been hot stuff for some time.
AJAX is the technique behind producing rich, responsive websites. “Web 2.0″ is the new term for the world of AJAX applications. It’s a marketing buzzword, used in the same way (for example) “digital” is used to sell hi-fi’s with clearer sound. Like many other such buzzwords, its veneer is paper-thin – an analog valve amp has far better sound than a digital one; there is no “Web 2.0″ either since AJAX, blogs and wikis have been around for nearly ten years now.
However, it’s a term that’s here to stay, it describes web applications with what is by now a “certain feel”, and it’s more business-friendly than trying to explain what Asynchronous Javascript And XML over HTTP means. Get used to it. I prefer “AJAX Application”, but if clients ask “can you do Web 2.0 ?”, the correct reply has to be “of course !”
Users like using them. Developers like writing them. IT managers like deploying them. CIO’s are rightly cynical of any new bandwagon and want to know what the fuss is all about before giving the all-clear to invest in what they may see as another potential IT white elephant.
Part 1 will outline the benefits. Part 2 will outline the challenges. And Part 3, the challengers – the various and numerous techniques, tools and frameworks for building AJAX apps using .NET.
In brief – AJAX applications are both “reach” and “rich”. An AJAX-enabled web application uses ubiquitous standards and protocols – DHTML, Javascript and XML over HTTP. To use one, a user only needs a compliant browser. They offer a richer, more responsive and more desktop-familiar user interface.
What are the potential business benefits of this improved user experience ?
Responsive user interfaces
Not having to wait for the entire page to be re-posted to the client after a Submit greatly improves the user’s focus on workflow. In the common form-filling scenario, providing immediate feedback helps a user focus on the task in hand, rather than having their concentration interrupted by a lengthy page-refresh cycle. In an intranet application this means greater productivity, as less time is spent waiting and thus less chance of the train of thought falling off the tracks. In a public site this encourages the user to stay on the site and not wander off elsewhere. Users are more likely to actually use the site, complete forms – whatever the site offers.
Improved data quality
A user interface that is more responsive in highlighting invalid form entries will improve data quality. Validation must always take place on the server as well as the client – AJAX applications are not immune to the same kinds of scripting attacks as regular web applications. But even though data validation is taking place on the client, server-side validation can be used without refreshing the whole page, in other words much more quickly than by a non-AJAX application.
Users will trust an application that demonstrably ensures data quality.
More interactive user interfaces
Users want to use applications that are interactive. Ideally they’d like web applications that mimic the functionality and responsiveness of a desktop equivalent. MS Outlook Web Access and Project Server score highly in this regard – they offer a familiar UI, a similar experience to their Windows counterparts. Inboxes can be sorted and paged, emails spell-checked, colors and fonts selected, and so on. Users will want to continue using a web application that offers them this kind of interactivity.
Increased participation
Optional participation – comments, ratings and so forth – can be presented in a much more desktop application-like way with AJAX.
This improves the chances of users actually using such features. Feedback from web application users can be a vital decision-making aid, and increased feedback will help make better-informed decisions.
What are the potential Technical benefits of AJAX Applications ?
There are numerous challenges, which will be covered in part 2. But on the whole, the technical benefits stack up in favour of AJAX applications. These benefits include low-cost deployment & centralized management as per any other web application, greater leverage of client processing & associated lower server-side processing requirements and lower bandwidth costs.
Low-cost deployment & centralized management
As AJAX applications are web applications, deployment and versioning have no end user impact. For any kind of app, intranet, extranet or public internet, this is a great advantage over traditional “rich” applications. Application performance can be profiled and monitored centrally, upgrades rolled out seamlessly and all within the control of traditional IT functions.
Greater leverage of client processing & reduced server processing
As mentioned in the user-experience benefits, a greater amount of validation is performed on the client machine. Interactivity such as sorting, paging and so on can also be handled by client-side code. This is not only perceptibly faster to users, but places less load on the server, which would otherwise have had to handle the sorting/paging itself, with database-fetching overheads.
Developer productivity and satisfaction
Most web developers who have had any exposure to AJAX want to be building AJAX applications themselves. This should not be seen as allowing free reign to build every single in-house and public-facing app as an AJAX-enabled web application; at the same time, there almost certainly are one or more existing or in-pipeline projects you are considering that could benefit from an AJAX implementation. A less tangible but very real benefit would be developer satisfaction in working on such projects, something development managers can hardly ignore.
Thanks for reading. If you’re still not convinced, perhaps some cold hard figures might sway you – this is an article by Alexei White, which goes into detail of actually measuring the potential benefits, including a test case with cost savings analysis.
Additional links
Intercepting Filter Pattern
If you’ve no idea what patterns are – where have you been ? – then the book “Design Patterns: Elements of Reusable Object-Oriented Software” (ISBN 0-201-63361-2) is essential reading, as is the Data and Object Factory site.
The more C#-oriented among us might like to read James Cooper’s “C# Design Patterns” (ISBN 0-201-84453-2) and Christian Thilmany’s “.NET Patterns” (ISBN 81-297-0290-8).
Patterns are a software design technique which provides solutions to common scenarios, helps you identify such scenarios and identify patterns of your own.
There are a lot more design patterns out there than the recognised Gang of Four’s. Identifying which pattern could be implemented to solve a particular type of development scenario is only scratching the surface. Sure this will save you time and improve the consistency of your designs, but part of becoming a good patterns practitioner is to be able to spot new patterns emerging as you become more experienced.
These can range from relatively simple UI implementation patterns – of which there are many – to more complex patterns dealing with request brokers, factories, pipeline processing and so on. This is as much of an intro as you’re going to get from me 
“So what’s an intercepting filter pattern when it’s at home ?” you cry. This is a link to another article by Jon Wojtowicz.. it’s an interesting article – sequential processing of data. The article resonated with me as it seems to describe Biztalk 2004/06’s pipeline-preprocessing model, something I have been working a lot with lately.
As the article mentions, the pattern does not describe workflow-style orchestration but rather a flow of data through pluggable components. These components fit the GoF mantra “program to an interface, rather than an implementation” and in much the same way as Biztalk pipeline components, can be reused and rearranged in different orders by encapsulating classes without requiring change within the component classes themselves. Nice.
Order Processing might be a scenario this would fit into, though I think Order Processing is more of a workflow/orchestration-type process. Data migration and data integration-type scenarios fit this pattern pretty well.
A word from my sponsors
I work for Unique World, a Sydney-based IT solutions consultancy and Microsoft Gold Partner. Check us out. Now.
