Raible Designs

Comparing Web Frameworks: Time for a Change?

I first came up with the idea to do a "Comparing Web Frameworks" talk in 2004. I submitted a talk to ApacheCon and it got accepted. From there, I outlined, created sample apps and practiced this talk before ApacheCon. Believe it or not, that was my first time speaking in front of a large audience.

Historical note: October 2004 was a pretty cool month - I discovered Rails and Roller had a 1.0 release candidate.

When I created the presentation, it was in large part due to all the WebWork and Tapestry folks harassing me on this very blog. I started using Struts in June 2001 (the same month 1.0 was released) and had used it successfully on many projects. Part of the reason this blog became so popular was I posted lots of tips and tricks that I learned about Struts (and its related project) while using it. After a while, the noise became too heavy to ignore it - especially after I'd tried Spring MVC. So in an effort to learn more about the the other frameworks, I submitted a talk and forced myself to learn them. It seems to have worked out pretty well.

With that being said, I think it's time for a change. The reason I originally wrote this was to educate developers on how the top Java web frameworks differed and encourage developers to try more than one. A while later, I realized there's different tools for different jobs and it's not a one-size-fits-all web framework world. It's not a component vs. request-based framework world either. There's lots of options now. When I've delivered this talk earlier this year, I've always felt like I've left quite a few frameworks out. The solution could be to add more and more frameworks. However, I don't think that's a good idea. The talk is already difficult to squeeze into 90 minutes and it's unlikely that adding more frameworks is going to help.

The change I'd like to do is to reduce the number of frameworks down to (what I consider) the top web frameworks for deploying to the JVM. What are those frameworks? IMHO, they are as follows, in no particular order:

• GWT-Ext
• Wicket
• Grails
• Flex/OpenLaszlo
• Seam
• Struts 2

The RIFE, Tapestry and ZK folks can start bitching now. Sorry - less frameworks make for a more interesting talk. Maybe I'll add you in the future and I can ask the audience which ones they want compared then we can choose four and go from there. Why don't I mention Spring MVC? Because I think Struts 2 is easier to learn and be productive with and I also like it's more open and active community. I've written applications with both and I like Struts 2 better. As for Flex vs. OpenLaszlo, I'm somewhat torn. It seems like learning Flex is going to be better for your career, but it's likely useless without the Flex Builder - which is not open source. However, at $250, it's likely worth its price. I know the Picnik folks used Flex for their UI - I wonder how much they used Flex Builder in the process?

What do you think? Are these the top web frameworks for JVM deployment today? The next time I give this talk is this Thursday at ApacheCon. I may try to re-write my talk and then give the audience a choice of old vs. new. The downside of doing the new talk is I won't have time to write apps with GWT, Flex or Seam. Anyone care to post their top three pros and cons for any of these frameworks?

Roller and Struts 2 BOF at ApacheCon next week

Are you going to ApacheCon in Atlanta next week? If so, you might want to mark your calendar for the Roller + Struts 2 BOF on Wednesday night. It's from 8:30 - 9:30 in "Room 3" (whatever that means) and free beer will be sponsored by Atlassian. Thanks Guys!

Apparently, projectors aren't provided for BOFs, so we are in need of a projector to do a small presentation. If you happen to have a "projector connection" in Atlanta next week, please let me know.

Interface21 on Open Source

Rod Johnson in Replies to Nonsense about Open Source says that Interface21 is the only legitimate company that can offer support for Spring.

...at least that's my interpretation...

Ben Speakmon (of SourceLabs) responds with Nonsense about Interface21.

Both articles are good reads. However, I think Ben has a good point:

One final point for Rod: why did you open source Spring at all? If you're so convinced that no one else can offer credible support for it, why not just make it proprietary?

Is Interface21 becoming the JBoss from two years ago? Will they one day make it difficult for companies to provide services around Spring like JBoss has? Fleury and Johnson will say that "professional open source" is the only way to have a truly successful project. While it may be working well for them, I tend to like DHH's stance on Rails a bit more:

I believe a Rails Inc consisting of a large group of core committers would have an unfair advantage in the training and consulting space - easily siphoning off all the best juice and leaving little for anything else. There are plenty of examples in our industry of that happening around open source tools.

It's much more satisfying to see a broader pool of companies all competing on a level playing field.

Disclaimer: In the past, I've provided training and consulting around Spring - in addition to writing a book about it. Interface21 has never done anything to discourage people from using my services. At least they haven't done anything that I know of.

GlassFish 2 vs. Tomcat 6

In Switched, Dave says:

Now that Glassfish V2 is out I'm switching from Tomcat to Glassfish for all of my development. It's more than fast enough. With Glassfish on my MacBook Pro, Roller restart time is about 8 seconds compared to 16 with Tomcat. And the quality is high; the admin console, the asadmin command-line utility and the docs are all excellent. The dog food is surprisingly tasty ;-)

I did some brief and very non-scientific performance comparisons myself:

Startup Time with no applications deployed:

• Tomcat 6: 3 seconds
• GlassFish 2: 8 seconds

Startup Time with AppFuse 2.0 (Struts + Hibernate version) as a WAR

• Tomcat 6: 15 seconds
• GlassFish 2: 16 seconds

Environment:

• JAVA_OPTS="-Xms768M -Xmx768M -XX:PermSize=512m -XX:MaxPermSize=512m -Djava.awt.headless=true -XX:+CMSClassUnloadingEnabled -XX:+CMSPermGenSweepingEnabled -XX:+UseConcMarkSweepGC -server"
• OS X 10.4.10, 2.2 GHz Intel Core 2 Duo, 4 GB 667 MHz DDR2 SDRAM

Since this was a very non-scientific experiment, it's possible the last two are actually the same. It's strange that Dave is seeing Roller startup twice as fast on GlassFish. Maybe they've done some Roller deployment optimization?

I realize startup times aren't that important. However, as Dave mentions, they (and context reloading) can be extremely important when developing.

Update: I got to thinking that Dave is probably referring to context reloading. Here's a comparison of how long it takes for both servers to pick up a new WAR (and start the application) when it's dropped into their autodeploy directories.

• Tomcat 6: 14-16 seconds
• GlassFish 2: 9 seconds

The strange thing about Tomcat is it takes 6-8 seconds to recognize a new WAR has been deployed. Does Tomcat have a polling increment that can be increased during development?

Regardless, it's impressive that the GlassFish guys have made things that much faster for developers. Nice work folks!

These days, I try to use mvn jetty:run on projects. Then I don't have to worry about deploying, just save and wait for the reload. Time to wait for AppFuse 2.0 to reload using the Maven Jetty Plugin (version 6.1.5)? 7 seconds. Of course, it'd be nice if I could somehow get this down to 1 or 2 seconds.

Maybe Dave should use the Maven integration for Roller to decrease his reload times. ;-)

Sun changes its ticker tymbol to JAVA

When I first read The Rise of JAVA - The Retirement of SUNW, I didn't think much of it. I believe I read it on some sort of news website, so I didn't realize folks would be so passionate about it. Reading the comments on Jonathan's blog is quite entertaining and smells somewhat of a TSS thread - except there's no back-and-forth banter. Dave provides a good roundup of reactions in Blogs on Sun's new stock ticker.

For me, one of the most interesting things to fall out of this is James Duncan Davidson's Remembering Java Naming Blunders Past.

Back in 1998 or so, there were a bunch of people in Cupertino?working in a building that used to belong to Apple?working to finish up the largest and most complicated release of the JDK to that date: JDK 1.2. Compared to JDK 1.0 and 1.1, it was enormous. It had slipped schedule a few times. And there were lots of changes and new APIs everywhere. So many that it was the first release where it was almost impossible to know how to use every Java API out there.

The powers that be really wanted to commorate this in a big way. They wanted to make a big splash when they officially launched the new version of Java in December of 98 at the Java Business Expo in New York. So, they decided to rename Java. I found out about this, along with all the other engineers working on Java, at an all-hands meeting in Cupertino.

The name was? wait for it? Java2000.

I met James at a MySQL Conference a few years back and he's full of stories like this. If you ever get a chance to hear one of his stories about the early days of Java at Sun - I highly recommend it.

Java Web Frameworks and XSS

In preparation for my talk at OSCON next week, I've been doing some research on cross-site scripting and how good Java web frameworks handle it. I'm disappointed to report that the handling of XSS in Java web frameworks is abysmal. First of all, the JSP EL doesn't bother to handle XSS:

With JSP 2.0 you can use the following to emit the description of a "todo" item:
${todo.description}
That's pretty nice. What happens when someone has entered a description like this?
<script type="text/javascript">alert('F#$@ you!');</script>
Well, it executes the JavaScript and pops up a nice little message to you.
...
My question is this: Why in the world did the expert group on the JSP 2.0 JSR decide to make not escaping XML content the default for EL expressions, when they made the opposite decision for c:out?

(Emphasis mine) If a company/developer wants to make sure their JSP-based code is not susceptible to XSS, they have two choices (as I see it):

• Do lots of code review to make sure <c:out> is used instead of ${}.
• Hack the jsp-compiler/el-engine to escape XML by default.

The good news is #2 doesn't seem to be that hard. I pulled down commons-el yesterday, added a hack to escape XML, re-jarred and put it in Tomcat 5.0.25's classpath. This actually worked and I was impressed it was so easy. However, when I looked at Tomcat 6, commons-el is no longer used and now there's a "jasper-el.jar" in the lib directory. I don't mind modifying another library, but what's the difference between jasper-el and commons-el?

Of course, the whole problem with JSP EL could be solved if Tomcat (and other containers) would allow a flag to turn on XML escaping by default. IMO, it's badly needed to make JSP-based webapps safe from XSS.

On a related note, there's a couple of web frameworks that I've found to be susceptible to XSS: namely Spring MVC and Struts 2. For Spring MVC, its <form:input> and <form:errors> tags are vulnerable. For Struts 2, OGNL expressions are evaluated, which is way worse than XSS and actually allows you to shutdown the JVM by putting %{@java.lang.System@exit(0)}" in a text field.

Even though it was surprising for me to see the issues with Struts 2 and Spring MVC, I'm somewhat glad they exist. If I hadn't discovered them, I might blissfully think that Java web frameworks aren't susceptible to XSS. However, it appears they're not only susceptible, but no one is really thinking about XSS when developing these framework. To further prove that theory, the Spring MVC and Struts 2 teams are aware of these issues, have been for quite some time - yet they've done nothing in the form of releasing upgrades or patches.

Seems kinda strange doesn't it?

The JA-SIG Summer Conference

In June, I'll be doing a keynote at the The JA-SIG Summer Conference. This should be interesting because 1) I've never done a Keynote and 2) the other Keynote speakers are Phil Windley and Matt Asay. I've never met either one, but I've heard Matt's name a fair amount. As for Phil, I already like him from reading his blog:

Adobe Open-sources Flex

Yawn...

I'm not sure what the excitement is all about.

I'll be doing my Comparing Java Web Frameworks talk. They gave me the option to talk on whatever I wanted. I chose the CJWF talk because then I didn't need to do any extra work. ;-) I'm beginning to look like a one-trick pony, but that's OK - at least it's a fun talk to deliver. I'll be delivering it at OSCON as well. Yesterday, I submitted proposals for Acegi + SSO + Roller, AppFuse 2.0 and CJWF to CSS and JavaZone. I'll also be flying down to Dallas on June 13th to talk about AppFuse 2.0.

For those of you who don't know, the purpose of JA-SIG and the conference is to develop a global academic community providing education and research in the applied use of open technology architectures and systems in higher education. It sounds like a good conference - I'm looking forward to all the talks on CAS, uPortal and Ajax.

Acegi Security adds OpenID support to its sandbox

From the Acegi Security mailing list:

Thanks to the efforts of Robin Bramley; we now have a first draft of OpenID support in the sandbox. The code is mostly as-is from when Robin submitted sent it to me. I've done all the standard jalopy formatting of the code so it blends in and has the proper file headers.

I don't know how much this will help folks developing intranet applications, but it's pretty cool for those doing otherwise. Anyone want to take a stab getting OpenID working with Roller? It uses Acegi and supports SSO, so hopefully it won't be too difficult.

See Timothy M. O'Brien's writeup as well as Ray Krueger's for more information.

Comparing Java Web Frameworks: Proposed Outline

I'm just now starting to create my Comparing Java Web Frameworks presentation for ApacheCon Europe. According to Dave, I'm way late on submitting my presentation. However, I haven't received any late notifications from ApacheCon's organizing committee, so I don't feel too bad.

I think it's interesting how most conferences don't spend much time organizing from a speaker's perspective. The Colorado Software Summit and NFJS are two exceptions. As a speaker, you always know exactly what's going on, what the deadlines are and where you're supposed to be when. With ApacheCon, I feel like I'm in the dark on almost everything - including if I have a hotel room or not. I guess that's the difference between a volunteer organization and conferences where the organizers make money.

Luckily, I've done this presentation quite a few times in the past, so it's mostly an update rather than a rewrite. The biggest changes: dropping Struts 1 and adding Stripes and Wicket. Of course, I could keep Struts 1 since it's not much additional work, but since I only have 50 minutes for the talk (10 minutes for QA), it makes sense to drop it. And yes, I know many of you'd like to see Grails, Seam, GWT, RIFE and Click added to this presentation - but no one wants to sit through a presentation on 11 web frameworks in 45 minutes.

Here's the abstract for the session:

One of the most difficult things to do (in Java web development) today is pick which web framework to use when development an application. The Apache Software foundation hosts most of the popular Java web frameworks: Struts, MyFaces, Tapestry and Wicket. This session will compare these different web frameworks, as well as Spring MVC and Stripes. It will briefly explain how each works and the strengths and weaknesses of each. Tips, tricks and gotcha's will be plentiful. Lastly, it will provide attendees with a sample application that utilizes all 6 frameworks, so they can compare line-by-line how the frameworks are different. This sample application will include the following features: sortable/pageable list, client and server-side validation, success and error messages as well as some Ajax functionality. The frameworks will be rated on how easy they make it to implement these features.

Without further ado, here's my proposed outline:

• Introductions (5 minutes)
• Pros and Cons (15 minutes, ~2 minutes for each)
• Sweetspots (10 minutes)
• Smackdown - evaluation criteria includes (15 minutes)
  • Ajax support
  • Bookmark-ability
  • Validation (including client-side)
  • Testability (esp. out-of-container)
  • Post and redirect
  • Internationalization
  • Page decoration
  • Community and Support
  • Tools
  • Marketability of skills (can it help you get a job)
  • Job count (is there a demand for skills on Dice)
• Conclusion (5 minutes)
• Q and A (10 minutes)

During the Pros and Cons, I won't be showing any code like I usually do - there's just not enough time. I'm also adding in a discussion on these frameworks' sweetspots. The Pros and Cons section is largely my opinion, and I think it's important to hear the framework authors' opinions as well.

In evaluation criteria, I'm dropping List screens and Spring Integration. All these frameworks have good Spring support and most support some sort of page-able/sortable list. I can add either of those back in based on your suggestions.

Any feedback is greatly appreciated.

Mixing Apache HTTP Server, mod_rewrite and mod_jk

I'm trying to configure Apache and Tomcat to work with a desired architecture for doing A/B Testing on my current project. Our basic idea is that we'll deploy entirely new WAR files when we have a test, then use the magic of Apache's mod_rewrite, mod_jk and possible the UrlRewriteFilter to keep the URLs somewhat consistent between version A and version B. Here's some questions I have for those folks who might've done this before:

1. Is it possible to use Apache's mod_rewrite to map http://www.domain.com/?v=1 to http://www.domain.com/1 (this allows us to have two different applications/wars served up to the same domain).
2. If #1 is possible, what's the RewriteRule for allowing the parameter to be anywhere in the query string, but still allowing the target to use it as the context name?
3. Is it possible to use something in the WAR (likely the UrlRewriteFilter) to produce HTML that has rewritten links (i.e. http://www.domain.com/?id=1 in the WAR whose context is 1)?

In other words, can Apache forward to the correct app going in, and can that app rewrite its URLs so those same URLs are used when going out?

I believe this is all possible. However, I am having difficulty getting mod_jk to allow mod_rewrite to be processed first. If I have the following in httpd.conf, it seems like htdocs/.htaccess gets bypassed.

JkMount /* loadbalancer

Is it possible to configure Apache/mod_jk so WARs can hang off the root, but still use mod_rewrite? If not, the only solution I can think of is to use UrlRewriteFilter in the WAR to forward to another context when a "v" parameter is in the URL. Currently, the UrlRewriteFilter doesn't allow forwarding to another context. The good news is the Servlet API allows it. I got it working in Tomcat (with crossContext enabled) and wrote a patch for the UrlRewriteFilter.

Anyone out there have experience doing A/B Testing in a Java webapp? If so, did you try to disguise the URLs for the different versions?

Update: I've got a bit of this working. The magic formula seems to be don't try to hang things off the root - use mod_rewrite to make things appear to hang off the root.

First of all, I posted a message similar to this post to the tomcat-user mailing list. Before I did so, I discovered mod_proxy_ajp, which happens to look like the successor to mod_jk. AFAICT, it doesn't allow fine-grained rules (i.e. only serve up *.jsp and *.do from Tomcat), so I'll stick with mod_jk for now.

Rather than proxying all root-level requests to Tomcat, I changed my JkMount to expect all Tomcat applications to have a common prefix. For example, "app".

JkMount /app* loadbalancer

This allows me to create RewriteRules in htdocs/.htaccess to detect the "v" parameter and forward to Tomcat.

RewriteEngine On

RewriteCond     %{QUERY_STRING}     ^v=(.*)$
RewriteRule     ^(.*)$              /app%1/ [L]

This isn't that robust as adding another parameter causes the forward to fail. However, it does successfully forward http://localhost/?v=1 to /app1 on Tomcat and http://localhost/?v=2 to /app2 on Tomcat.

What about when ?v=3 is passed in? There's no /app3 installed on Tomcat, so Tomcat's ROOT application will be hit. Using the UrlRewriteFilter, I installed a root application (which we'll likely need anyway) with the following rule:

    <rule>
        <from>^/app(.*)$</from>
        <to type="forward">/</to>
    </rule>

So I've solved problem #1: Using URL parameters to serve up different web applications. To solve the second issue (webapps should rewrite their URLs to delete their context path), I found two solutions:

1. Use mod_proxy_html. Sounds reasonable, but requires the use of mod_proxy.
2. Use the UrlRewriteFilter and outbound-rules.

Since I'm using mod_jk, #2 is the reasonable choice. I added the following link in my /app1/index.jsp:

<a href="<c:url value="/products.jsp"/>">link to products</a>

By default, this gets written out as http://localhost/app1/products.jsp. To change it to http://localhost/products.jsp?v=1, I added the following to urlrewrite.xml:

    <outbound-rule>
        <from>^/app1/(.*)$</from>
        <to>/$1?v=1</to>
    </outbound-rule>

This produces the desired effect, except that when I click on the link, a new session is created every time. AFAICT, I probably need to do something with cookies so the jsessionid cookie is set for the proper path.

Not bad for a day's work. Only 2 questions remain:

1. What's a more robust RewriteRule that doesn't care about other parameters being passed in?
2. What do I need to do so new sessions aren't created when using an outbound-rule?

It's entirely possible that mod_proxy_ajp with mod_rewrite_html is best tool for this. Can mod_proxy handle wildcards like JkMount can? I've heard it's faster than mod_jk, so it probably warrants further investigation.

Update 2: I achieved the desired result using mod_rewrite, mod_jk and the UrlRewriteFilter (for outgoing links). Here's what I put in htdocs/.htaccess (on Apache):

RewriteEngine On

# http://domain/?v=1 --> http://domain/app1/?v=1
RewriteCond     %{QUERY_STRING}     v=([^&]+)
RewriteRule     ^(.*)$              /app%1/$1 [L]

# http://domain --> http://domain/app (default ROOT in Tomcat)
RewriteRule     ^$                  /app/ [L]

And in the urlrewrite.xml of each webapp:

   <outbound-rule>
       <from>^/app([0-9])/([A-Za-z0-9]+)\.([A-Za-z0-9]+)$</from>
       <to>/$2.$3?v=$1</to>
   </outbound-rule>

   <outbound-rule>
       <from>^/app([0-9])/([A-Za-z0-9]+)\.([A-Za-z0-9]+)\?(.*)$</from>
       <to>/$2.$3?$4&amp;v=$1</to>
   </outbound-rule>

Next I'll try to see if I can get it all working with mod_proxy_ajp and mod_proxy_html. Anyone know the equivalent of "JkMount /app*" when using LocationMatch with mod_proxy?