Raible Designs

5 Years

Doh! It looks like I missed my 5-year blogiversary last week. It's hard to believe it's been 5 years since I started this blog on August 1, 2002. A lot has happened since then: Abbie was born, we moved from Morrison to Denver, Jack was born and Julie built a new house. For those that know me personally, a lot has happened this summer too.

Julie and I are getting a divorce.

Our reason is simple - we're not in love with each other like we expect a married couple should be in love. It's going to be a good move for the both of us and while it might be hard to get through the next several months, we'll both be happier in the long run. We still plan on raising a family together, we'll just be doing it from two separate households and living two separate lives. I bought a house a few weeks ago and moved in last week. This past weekend was my first "Daddy's weekend" and the kids and I had a blast.

I realize that divorce is a sensitive subject and it might not be something that folk's think is appropriate for a blog post. I started this blog in order to document my life's history and this seems like a pretty important thing to document. My life has certainly changed a lot in the past couple months and it's likely to change quite a bit more in the future. I realize I haven't been blogging much lately - now you know why. I don't know if I'll return to actively blogging like I once did, but I think I will.

I've turned off comments for this post - I hope you understand. If you'd like to tell me your story about successfully raising children of divorce, I'd love to hear about it.

Update: It figures - my contact form appears to have been broken for the last month or so. If you used it to send me a message, there's a good chance I didn't receive it. Sorry - it should be fixed now.

Roller Themes

Eugene Strokin has been doing an excellent job migrating Free CSS Templates to Roller Themes. So far, he's done 10 and it doesn't look like he's stopping any time soon. Well done Eugene! IMO, nice-looking themes for Roller has been one of its biggest missing features.

Now if we could only use Roller to power the Apache project site...

Trim Spaces in your JSP's HTML Redux

Since my last post on trimming whitespace in JSPs seems to be a popular topic, I figured it appropriate to note that JSP 2.1 supports a new trimWhitespace directive.

<%@ page trimDirectiveWhitespaces="true" %>

If you're using a Servlet 2.5 XSD, you can also do this in your web.xml:

    <jsp-config>
      <jsp-property-group>
        <url-pattern>*.jsp</url-pattern>
        <trim-directive-whitespaces>true</trim-directive-whitespaces>
      </jsp-property-group>
    </jsp-config>

A Servlet 2.5 XSD seems to be the following:

<web-app
    xmlns="http://java.sun.com/xml/ns/javaee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
    metadata-complete="false"
    version="2.5">

To learn more about this feature, view Summary of New Features in JSP 2.1 Technology and search for "TrimWhiteSpace". It'd be nice if there was anchors in this article for a direct link, but I couldn't find any.

Now I just wish JSP's EL had an xmlEscape="true" flag to escape XML in printed variables. Freemarker supports this.

Hat tip to Kerem and Krishna's Unified Expression Language for JSP and JSF article.

AppFuse now powered by Contegix and Atlassian

The AppFuse project is now hosted on a Contegix server for its documentation, demos, issues and continuous integration. Single sign-on to all of these servers is handled by Crowd. Many thanks to Atlassian for their generous donations of licenses. The free server and service from Contegix is one of the nicest things that anyone has ever done for me - thanks guys!

If you see any issues that might be related to this move, please let us know.

In addition to running the Atlassian Suite, we're also hosting our own Maven repository. We've been hosting our own for almost a year now. Now that AppFuse is residing on the same infrastructure as Maven's central repo, I wonder if it makes sense to publish to the central repo? I don't see any advantages. If we continue to retain our own, we can have more control, publish to it easily, and fix annoying bugs. What do you think - continue with our own or publish to the central repo?

Update Feb 20, 2015: All AppFuse artifacts are published to Maven Central and have been for several years.

OSCON 2007: Comparing Java Web Frameworks

This afternoon I delivered my Comparing Java Web Frameworks talk at OSCON in Portland. I told attendees I'd post it here afterwards, so here it is:Download Comparing Java Web Frameworks Presentation (5.1 MB)

For comments on this presentation from earlier this year, see related postings from ApacheCon EU and JA-SIG. This presentation is pretty much the same as the one from ApacheCon and JA-SIG, except it has a different theme and I chopped out the Sweetspots section (due to time constraints).

Portland is great this time of year, but unfortunately I won't be sticking around. I'm heading down to Salem to work remotely for a couple of days, returning for the Oregon Brewers Festival on Friday and heading back to Denver on Saturday. I'll be glad when July is over - I've traveled to a new state every week.

Java Web Frameworks and XSS

In preparation for my talk at OSCON next week, I've been doing some research on cross-site scripting and how good Java web frameworks handle it. I'm disappointed to report that the handling of XSS in Java web frameworks is abysmal. First of all, the JSP EL doesn't bother to handle XSS:

With JSP 2.0 you can use the following to emit the description of a "todo" item:
${todo.description}
That's pretty nice. What happens when someone has entered a description like this?
<script type="text/javascript">alert('F#$@ you!');</script>
Well, it executes the JavaScript and pops up a nice little message to you.
...
My question is this: Why in the world did the expert group on the JSP 2.0 JSR decide to make not escaping XML content the default for EL expressions, when they made the opposite decision for c:out?

(Emphasis mine) If a company/developer wants to make sure their JSP-based code is not susceptible to XSS, they have two choices (as I see it):

• Do lots of code review to make sure <c:out> is used instead of ${}.
• Hack the jsp-compiler/el-engine to escape XML by default.

The good news is #2 doesn't seem to be that hard. I pulled down commons-el yesterday, added a hack to escape XML, re-jarred and put it in Tomcat 5.0.25's classpath. This actually worked and I was impressed it was so easy. However, when I looked at Tomcat 6, commons-el is no longer used and now there's a "jasper-el.jar" in the lib directory. I don't mind modifying another library, but what's the difference between jasper-el and commons-el?

Of course, the whole problem with JSP EL could be solved if Tomcat (and other containers) would allow a flag to turn on XML escaping by default. IMO, it's badly needed to make JSP-based webapps safe from XSS.

On a related note, there's a couple of web frameworks that I've found to be susceptible to XSS: namely Spring MVC and Struts 2. For Spring MVC, its <form:input> and <form:errors> tags are vulnerable. For Struts 2, OGNL expressions are evaluated, which is way worse than XSS and actually allows you to shutdown the JVM by putting %{@java.lang.System@exit(0)}" in a text field.

Even though it was surprising for me to see the issues with Struts 2 and Spring MVC, I'm somewhat glad they exist. If I hadn't discovered them, I might blissfully think that Java web frameworks aren't susceptible to XSS. However, it appears they're not only susceptible, but no one is really thinking about XSS when developing these framework. To further prove that theory, the Spring MVC and Struts 2 teams are aware of these issues, have been for quite some time - yet they've done nothing in the form of releasing upgrades or patches.

Seems kinda strange doesn't it?

AppFuse 2.0 Status Update

It's been far too long since the release of AppFuse 2.0 M5. When we released that version, I fully expected to finish up RC1 a week or two later, and follow that with 2.0 Final a week later. Fast forward a month and a half, and there's still 38 issues left for 2.0 RC1. What happened?

Life got in the way.

There's probably less than 40 hours left to complete 2.0. I could say that I haven't had the time, but you all know that's a lie. Everyone has time. When someone says "I don't have time to do X right now", this really means "that's not on my priority list and I'm not going to make time to do it". So unfortunately AppFuse hasn't been on my priority list. Finding a new gig, vacationing with my family and buying a new mountain bike were on my priority list.

So if there's only 40 hours worth of work left, why didn't I just work a couple hours a day on it? Primarily because when I work on AppFuse it possesses me. I tend to get caught up in it and it's tough for me to concentrate on other things, especially work that I'm supposed to be doing during the day. Since I've had two new clients in the past few weeks, I've been aware of this and purposely stayed away from working on it.

The good news is things should settle down soon. I have a couple weekends on the horizon that look to be free, so hopefully I can crank it out and finish it up in the next month or so. As far as the project itself, there's plenty of users happily using the 2.0 milestone releases and there's still lots of traffic on the mailing list. It's crazy to think that the planning for AppFuse 2.0 started over a year ago and development started one year ago next month. If I knew it'd take this long, would I still have done it? Absolutely. I've never heard so many positive comments from users.

In other AppFuse News, Contegix has graciously donated an entire managed server to the project. We have licenses for the Atlassian Suite (JIRA, Confluence, Bamboo and Crowd) and will be moving/installing everything over the next week or so.

Thanks Contegix!

As anyone that uses them knows, they're simply the best hosting company in existence today. Their customer support and response time is incredible.

First Day at LinkedIn

Today was my first day onsite at LinkedIn in Mountain View, California. I'm very impressed by two things so far: they gave me a new MacBook Pro and Sushi is on tap for lunch tomorrow. Of course, there's a lot more impressive things going on there, but the new MacBook was today's highlight. The strange thing is I don't need one - I just got a new 17" a few months ago. Nevertheless, I received and configured a new 15" today. It's not the machine that impresses me, but the company's willingness to buy the best machines for its developers.

I was introduced to almost the entire company this morning, and I only saw one Windows machine in a sea of Macs. My favorite quote? "If the MacBook Pro isn't fast enough for you, we can see about getting you a Mac Pro." I like a company that knows what developers like and doesn't have a problem treating them well.

The last time I received a new computer as part of a contract or full-time position? I believe that was way back in 2002. Working at LinkedIn seems like a developer's paradise. Does your company provide new MacBook Pros and Cinema Displays to its developers?

Bike to Work Day

Today is Bike to Work Day in Denver. I rode my bike into The Hive this morning. It was a perfect morning for a ride - overcast and cool, with the sun just starting to poke out as I approached downtown. Unfortunately, I didn't realize all the festivities were at Civic Center Park, so I didn't win any prizes, get any breakfast or drink any free coffee. Oh well, maybe they'll have free beer somewhere on the ride home...

JA-SIG Keynote: Comparing Java Web Frameworks

This morning I did my first keynote at the JA-SIG Summer Conference in Denver. My talk was on Comparing Java Web Frameworks. I told attendees I'd post it here afterwards, so here it is:Download Comparing Java Web Frameworks Presentation (1.1 MB)

In addition, I mentioned my Java Web Frameworks Sweetspots Whitepaper.

Will I be comparing web frameworks at conferences for the rest of my life? Possibly. I've been submitting 2-3 proposals to conferences and it's the only one that keeps getting selected. I'll be delivering it at OSCON, JavaZone, Colorado Software Summit and ApacheCon US.

The Colorado Software Summit wants to have an original presentation - so I may need to drop a framework or two and add in Seam, Grails and GWT. If you are planning on attending one of these talks, which frameworks would you like to see compared?

Related: Comments after I delivered this presentation at ApacheCon EU.