I delivered my Maki
as an Ajax Mashup Framework
talk and the slides are available
Lots of attendees came by afterwards and told me that they enjoyed the
demo. The talk showed how jMaki
provides a lightweight mashup framework that runs in
the browser. Here is a pictorial representation of the demo shown:
jMaki Webtop is basically a jMaki widget that can be embedded in a JSP
or PHP page. This widget provides the framework for managing widgets
and users, ability to persist the Webtop on client-side using Google
Gears or server-side using backend database, layouts and other
functionality. In JSP case, the widget uses JPA for performing all the
CRUD operations with the back-end MySQL database. The resulting WAR
file is deployed on GlassFish
(can be any other Servlet container as well). If you are interested in
a Java version of Webtop then the recommended path is:
- Create services & widgets using NetBeans
- Deploy them on GlassFish
- jMaki webtop for widget deployment & customization
It really is an evolution of jMaki - using all the infrastructure that
has built over 2 years. You can experience it yourself at jmaki.com/webtop
which is running a PHP version of the app. See the coverage here
The code will be available soon!
I attended few more talks and took notes in some of them to share:
See below for notes from some of them.
we fix the Web ?
This was an early morning talk (7:30am) and I reached few minutes late.
- Script injection
- No difference between user & guest scripts
- Scripts exempt from same-origin policy
- No modularity (global access to everything on the page)
And also DOM vulnerability because every node in the tree has access to
every other node. This lacks modularity and causes a potential security
Doug recommended 3-step plan to fix the Web:
unsafe or suspect such as no global vars or functions
- Google Caja & Cajita provide a similar subet but
they use transformation instead of validation
- Minor browser improvements
- Scripts are exempt from same-origin policy. This allows a
dynamic <script> tag to make a GET request from a server.
Instead use JSONRequest (part of json.org).
maintains backwards compatibility and adds complexity.
- Major browser improvements
approach is to start with JSLint and add safe features as required.
- The Object Capability System (where objects are given
explicit access to be used) needs to be enforced to make it secure.
In Doug's opinion, if the Web is not fixed then JavaFX
(all vastly superior but lacking adoption) will displace the web.
The second talk was on Accelerate
Ajax development with Appcelerator
The talk started with a "not too long back" introduction of the
technology space. Well, it started with 1991 and the timeline (and
associated technology advances in that year) kept shuffling 1995, 1989,
2001 .... and so on. Jeff talked about how/why Tim Berners Lee invented
WWW and covered a myriad of terms after that including but not limited
to - Web 1.0, Netscape, Mosaic, marc Andreeeseen (sp?), Java, java Web
Start, Applets, W3C, CGI, J2EE, JCP, C#, JBoss, SOA, JavaFX,
Silverlight, AIR and many others. For a 50 minute talk, that was quite a long
After that introduction, he word "Ajax" was mentioned almost
30 minutes (8:51am to be precise) in the talk. And then the word
"Appcelerator" was mentioned at 9:06am. Finally, I realized that I'm in
the right talk ;)
like to pitch themselves as RIA + SOA company and allows true
decoupling of the rich client from it's services. Their services is
very similar to jMaki but they use event handling + Ajax + DHTML to
achieve it. They also run on Ruby, PHP, Java and other languages.
All in all, it was a good walk through the memory lane!
The next one was REST
& Ajax Reconciled
The talk explained the basic concepts of REST
- Resource, URI, Representation, URL & Methods (GET, PUT, POST
& DELETE). It also explained the idempotency and safety of each
method type. Overall a good decent introduction.
Then it explained the limitations with current web-based forms:
- The URIs in the action attribute cannot be changed
- Most browsers recognize only GET/POST methods
- Limited ecodings - for example generating JSON encoding
requires extra work.
It provided a REST framework checklist:
- Does it have resource-based approach ?
- Acknowledges existing of representation ?
- Solid engineering & community support ?
The three frameworks discussed in the talk were:
Cocoon - based on XML pipelines & URL patterns,
powerful but steep learning curve
- Like Servlet for REST, good for existing model
Sling - Based on JCR with server-side scripting support
The talk did not mention anything about Jersey
turning out to be a great implementation and very well meets all the
critieria mentioned above.
The speaker recommended Apache Sling with µjax
for all REST + Ajax needs. But I'd strongly encourage you to have a
look at Jersey. The JSON representation generated out of Jersey can now
be directly consumed by jMaki as described here
- a true combination of REST & Ajax :)
And then the last talk where I took notes is Understanding
the Top Web 2.0 Attack Vectors
. I'll provides notes from the
last 5 slides of the talk which essentially captured the essence. These
slides talked about fundamental issues with Ajax and described concerns
and possible attacks in each issue. I'll need to understand some of
these attacks better myself but at least I have a list to begin with :)
Here you go:
- Cross-domain communication
- Exposed business logic (View Source)
- Local & Offline data storage
- Cross-site scripting, DNS Rebinding
- Business logic bypass
- Variable tampering
- Protocol hijacking
- Function clobbering
- Concerns - new protocols on top of HTTP
- Recursive Payloads
- Schema Poisoning
- Information Sources
- Diverse (RSS, Blogs, Email, ...)
- Untrusted content
- Poisoned Cache (HTTP Response Splitting Vulnerability)
- DNS Issues
- Information Structure
- Concerns - Variations of data structure
- Serialized data
- Malicious injection
- Parser implementations
- Server-side Issues
- Architecture Weaknesses
- Multiple languages & implementations
- Increase & fragmented attack surfaces
- Unknown request origin
- Authorization & Authentication in complex
- Information disclosure, Logical attributes,
- Command Injection
talk about Gadgets & Widgets was nice. The alliance is working
on creating standards for widget metadata, communication across widgets
and other similar tasks. The goal is to enable successful adoption of
open and interoperable Ajax-based Web technologies.
Dave Ferraiolo (from OpenAjax) particularly expressed thanks to jMaki
for deriving the first set of Open Ajax Data Model specs from jMaki
Check out some of the pictures:
The complete album is available at:
I had to leave at the end of Day 2 because of unfavorable health
condition. But I'm glad at least I could deliver my talks :) Now I need
to be back-in-shape before my upcoming trip next Tuesday!
ria sun web2.0 jmaki