We are currently building a web application for the financial services sector that is highly depending on client side JavaScript and DOM manipulation. Each time the user changes an input parameter the following steps are executed:

• the data is collected from the user interface,
• sent to the server,
• processed there,
• sent back to the browser
• where the user interface is finally updated with the results.

The application is based on DWR for Ajax communication, Drools as a rule engine running on the server and some custom Java code. Server side execution is rather fast, in the range of 100-200ms. On the client side things are different. Collecting the data is quite fast, too, below 100ms in every browser. Updating the UI is where most of the time is spent.

The user interface contains a bunch of tables to show the results. Rows are created and removed dynamically depending on the returned data and populated with the corresponding properties. This is done using jQuery for heavy DOM manipulation.

The current version of the tool has been tested with different browsers showing some significant differences:

Browser	Time (ms)
MSIE 6.0	3281
Firefox 3.0.4 (Linux)	1492
Firefox 3.0.4 (Windows)	1357
Google Chrome Beta 2	515

These are just the numbers from our current development version (IE 6 matches the production environment, that's why we didn't test with IE 7 or IE 8 beta).

What is interesting is that Google Chrome with the WebKit HTML and V8 JavaScript engine outperforms Firefox by a factor of three and IE 6 by a factor of six.

JetBrains has released IDEA 8.0. It has support for a few new frameworks like JBoss Seam, Struts 2, GWT 1.5, RESTful webservices and updated support for Spring like Spring 2.5, Spring Webflow, Spring MVC and Spring Dynamic Modules. Templates languages like FreeMarker and Velocity are now supported as well as improved support for XPath and XSLT.
In version 7.0 JetBrains introduced support for Maven which has been further enhanced in 8.0:

• Creating new projects from Maven archetypes.
• Resource filtering with built-in Make.
• Manually added libraries and modules dependencies support.
• Completion of artifacts' groupId, artifactId, version, exclusions, based on downloadable repository indices.
• Code completion for plugin configuration.
• Parent and dependencies generation in pom files with Alt+Insert.
• Add Maven Dependency Quick Fix for unresolved classes in java code.
• Support for Web Overlays.

This makes IDEA 8 the best choise for the development of mavenized projects.

Additionally the built-in Subversion connector has been updated for Subversion 1.5 and has support for merge-tracking.

References

• New Features in IDEA 8
• Download IDEA

Andreas Kurtz has published a security advisory regarding multiple critical security vulnerabilities in Openfire's admin console. There is also a posting to full-disclosure.
The issues allow a remote attacker to circumvent authentication and run arbitray code with the permissions of the user running Openfire. It affacts all versions up to and including 3.6.0a.

Andreas claims to have notified the vendor Jive Software six months ago. Up to now no security advisory has been issued by Jive and no patch has been published. I am really interested to hear Jive's version of this story. If it is true that Jive was aware of the issues for so long and no action has been taken to inform the community or to fix the problem this will probably result in a loss of trust in Openfire's development model.

For now the only solution is to limit access to the admin console by firewall rules. With regard to security issues in the admin console in the past this is recommended anyway. The XMPP interface is not accected by the vulnerabilities discovered by Andreas.

Update 2008-11-14

Openfire 3.6.1 has been released that fixes the security issues.

References

• Security Advisory
• Posting to full-disclosure
• Blog posting by Andreas
• Download Openfire 3.6.1

SpringSource, the company behind the popular Spring Framework has announced a new maintenance policy: SpringSource Enterprise Maintenance Policy, effective September 2008. After a lot of discussion in the community they have now added a Frequently Asked Questions document.

Spring Framework was originally created to overcome the limitations of Enterprise Java Beans (version 1 and 2) and make it easier to build J2EE applications. It has introduced dependency injection to a broad audience and changed the way many enterprise applications are built today. For many years it has been a vendor independant Open Source project available under the Apache Software License. Some time ago the creators of Spring Framework started their own company, received venture capital and things started to change. They've added new products like a new application server, bought Covalent and are looking for opportunities to gain some money.

In contrast to their new proprietary products which require a commercial license there has not been a real opportunity to make money from SpringFramework itself. Community support was fine, regular maintenance updates fixed the issues that were discovered and there was no need for commercial support. The recent announcement of their new maintenance policy seems to be their answer to that. They try to create a need for their support offerings. So the new policy basically states:

• Free maintenance updates will only be available for three months after a major release
• Maintenance releases will be available to paying customers under a commercial license for three years after a major release
• Bug fixes will be commited to a maintenance branch but minor releases will not be tagged after the three month period so the community will not know which versions are stable

Though the major releases will remain Open Source the bug free minor versions (three months later) will not. Spring Framework 2.0 was released in October 2006, Spring Framework 2.5 in November 2007 which means that the community will be without minor releases for more than 9 months if the frequency of their releases remains similar.

Sure, you can always build from the sources but this looks like a bad idea given that SpringSource refuses to tag consistent and tested versions.

I can understand the desire to make cash from SpringFramework but I am not sure this way will be successful. For me the products of SpringSource have lost their strong advantage of being vendor independant and fully Open Source. Upcoming projects will have to consider this fact and investigate alternatives.

Update 2008-10-08

SpringSource has listened to the community and updated its maintenance policy: A Question of Balance: Tuning the Maintenance Policy. They've dropped the 3 month window and will provide community releases from trunk for each version of Spring while it remains the trunk or until the next version is stable.

References

• Spring Framework
• SpringSource Enterprise Maintenance Policy
• Frequently Asked Questions
• A Question of Balance: Tuning the Maintenance Policy

Though most of the Java libraries are already in the official Maven repository you will from time to time encounter artifacts that are not available there. Reasons for this include licensing issues (e.g. Oracle JDBC drivers and some Sun Java APIs) and a lack of maintainers.
Most users of Maven run an internal repository for those artifacts and to distribute their own work products.

Recent versions of Maven support uploading artificats along with their sources directly into your internal repo through WebDAV:

mvn deploy:deploy-file \
        -DrepositoryId="internal" \
        -Durl="dav:https://server/repo" \
        -Dfile="oracle-jdbc.jar" \
        -DgroupId="com.oracle" \
        -DartifactId="oracle-jdbc" \
        -Dversion="1.2.3" \
        -Dpackaging=jar \
        -DgeneratePom=true

Read more...

Estonia is a small country in the north east of Europe in the Baltic region. As a former Soviet republic it became independant in 1991 and is a member of NATO and the European Union since 2004.

Estonia has a strong information technology sector and plays a leading role in terms of eGovernment. It has declared internet access a basic human right and there are free wlan hotspots throughout the country. Over 90% of the population own a mobile device while in 1991, when Estonia regained its independence, only half of the country's 1.4 million people even had a telephone line. Being a very small country without much natural resources, Estonia has realized that it has to move fast and that innovative ideas are the way to future.

In terms of political and civil freedom Estonia quite ahead in Europe. Reporters sans frontières has ranked Estiona 3rd out of 169 countries in its press freedom index while Germany is only on rank 20.

Liberal economic policies, low taxes and a well-educated population build a solid ground for entrepreneurs.

Next week I'll have a look on my own.

Update 2008-10-08

I've uploaded some pictures.

Packt has released a new book on Openfire a Java based Instant Messaging server.
Openfire Administration by Mayank Sharma is a step-by-step guide for everybody who wants to setup an internal IM server for private or corporate use. It walks you through the whole installation and configuration process including integration with external authentication sources like OpenLDAP and Active Directory and covers a bunch of useful plugins.

In contrast to other similar products Openfire is based on open standards as it uses the same XMPP protocol that is also used by Google Talk and Apple's iChat. Openfire is available under the GNU General Public License so there are no license fees and it's maintained by a vibrant community. There are a lot of free and commercial clients that you can use to connect to Openfire like Spark and the Flash based SparkWeb, Psi, iChat and many more.
Additional free plugins are available that cover a wide range of requirements like connection to other IM networks like MSN, ICQ/AIM and Yahoo!, server side archiving for compliance and integration with the Asterisk PBX.

If you are new to running IM infrastructure and interested in setting up a proven enterprise ready solution Mayank's book is for you and will provide you with the information required to install and run a professional IM solution.

References

• Openfire product page at igniterealtime.org
• Openfire Administration at Packt
• "Openfire: Effectively Managing Users", extracted from the book

Wenn ich von meiner Teilnahme am diesjährigen MinD Camp berichte, taucht eine Frage immer wieder auf: Was hat man sich eigentlich unter dem Programmpunkt "Kuschelworkshop" vorzustellen?

Read more...

You can use namespaces in XSLT and XPath like

<xsl:value-of select="//a:account/b:accountType"
  xmlns:a="http://example.com/accounts"
  xmlns:b="http://example.com/types"/>

For this to work in Java the document builder must be namespace aware otherwise namespaces are stripped when parsing the document and your transformation will fail for obvious reasons.

DocumentBuilderFactory f = DocumentBuilderFactory.newInstance();
f.setNamespaceAware(true);

At least in JDK 6 the default seems to be false.

Those emails to mailing lists come even from well-known consulting companies like Accenture. Three emails with almost the same question within a few hours each time including the full 25 lines long company disclaimer.

I wonder if it is known to the companies that the cheap resources are actually sponsored by well educated and expensive employees often employed by the same companies who answer those questions in their office time.