[Owasp-austin] OT? web application frameworks

Smith, Milton msmith at ercot.com
Wed Aug 12 15:24:31 EDT 2009

I agree with Ernest.  You need to consider your requirements and organizations skill sets then consider the various frameworks (and maybe you already have).  With that said, here are a few lines of thinking you may want to consider on your project if it's helpful.

I have developed commercial software professionally for many years on both Java and C++.  When I develop server applications, I like Java because it supports mainstream hardware and operating system platform choices for many consumers.  Commercially, there are no clear server platform winners and Java provides a lower cost alternative to coding solutions for each platform -- clearly a business advantage.

Even if you're not writing software commercially, platform independence is useful during upgrades and server refreshes.  Beyond platform independence, Java has rich open source support community and source code availability is helpful during troubleshooting.  If you're a Microsoft/.NET shop (.NET has lots of great features) that's fine.  My point is not to persuade you to change frameworks but only to consider my viewpoint for building services.

The following are some choices I have considered and my thinking behind them.

- JRuby.  JRuby is a Java implementation of Ruby that also provides options for Java extensibility.  For example, if you have some performance intensive tasks you can call Java programs directly from JRuby.  My general concern with Ruby is that it is an implementation NOT a specification; therefore, there is no governing body that guides changes to Ruby except its creators.  Of course, they probably listen to their user community, but practically speaking, a Ruby program on one interpreter is not guaranteed to work on another whereas Java\C++ work under a variety of virtual machines and compilers, respectively.

- WebObjects.  I always had a soft spot for WebObjects.  WebObjects is a Java based framework developed by Jobs at Next and brought to Apple when he returned.  WebObjects was far ahead of its time.  Many of the framework tools today are knock offs of WebObjects.  WebObjects is unique because it brings WYSIWYG to web development.  I'm not sure what Apple is up to these days with WebObjects but if I were undertaking a project I might review it for viability as a solution (assuming IT would entertain the thought).  Some of the more interesting WebObjects features at the time were: fast service deployment without scripts, Entity Modeler tool which is an ORM layer like Hibernate, support for many DBs, MVC architecture, easy to scale just add more servers, extensible, and more.  The biggest drawback at the time is you must use their development environment for WYSIWYG programming (no Eclipse, darn).  I have seen some substantial deployments on Solaris at a portal company.  Generally, only limited sections of a web site are managed by WebObjects like the "Shopping Cart" or dynamic areas, not static pages.  WebObjects can be combined with Drupal or Joomla to create a full featured web site solution.

- Component approach.  If requirements are loose sometimes it's safer to error with flexible components.  JBOSS/Tomcat for MVC layer.  Hibernate for managing persistence business objects.  Log4j, Syslog, and Splunk for comprehensive logging and log viewing.  The appeal of component based architecture is that you have maximum flexibility (but at the expense of increased development time).  The extra time you invest up front may save time after the software evolves.  There is less chance of hitting performance or functionality limitations within someone else's framework.  You can fudge (or falling short) a little on implementation and fix it later but fudging on architecture leads to real problems later.  Business always wants solutions faster than they can be delivered but I suggest working to help these folks understand what can reasonably be accomplished.

Oh yea, keep in mind you should code review any open source you use.  Assuming that it must be secure, reliable, or even scalable because it's used widely is a bad assumption.  I have found many flaws in mainstream open source (e.g., SQL Injection, concurrency issues, etc) and I have come to the conclusion they (like commercial communities) are focused on functionality. While it's a good survival skill to be sure, it's a bit disconcerting if your quality standards are higher module you plan to include <grin>.

Good luck,
Milton Smith
bull7 at mac.com  (ok, I'm a Mac bigot as well)

-----Original Message-----
From: owasp-austin-bounces at lists.owasp.org [mailto:owasp-austin-bounces at lists.owasp.org] On Behalf Of Ernest Mueller
Sent: Wednesday, August 12, 2009 10:36 AM
To: travis+ml-owasp at subspacefield.org
Cc: owasp-austin-bounces at lists.owasp.org; owasp-austin at lists.owasp.org
Subject: Re: [Owasp-austin] OT? web application frameworks

If you want to code in Python then django is a good framework -

In terms of "how to decide" - that's a real corker.  It depends on your
requirements, and then on either using every framework to demo it, which is
probably infeasible from a time standpoint, or getting an accurate read on
what exactly each one does, which can be hard to suss out from the general
technical fanboy blather about any given one.  It's kinda like asking
"which car is best."  There's a highly subjective element and an "what do
you need" element to it.

In this case, I'd probably start out with choosing a language you are
conversant with (from the mainstream java/php/perl/python to weird stuff;
there are smalltalk and erlang web frameworks out there for the insanoids).
If you choose Python, then knowing one or two frameworks (django and
pylons) just start googling them "vs" each other and you can get people's
head to head thoughts and likely will find other well respected ones since
you'll get hits to "django vs pylons vs thing3."  Like I found turbogears
in short order doing that.  Seems like in general those are the big 3
(assuming you don't count plone) in the Python world.  From reading the
comparisons it seems like there's some pretty good distinctions depending
on how much of a noob you are in that area and how much customization you
want.  django is more cookie cutter and mature, turbogears is more noob
friendly, and pylons is more customizable.

http://stackoverflow.com/questions/48681/pros-cons-of-django-vs-pylons (by
the pylons guy)

this IMPORTANT information is ENCOURAGED.

  From:       travis+ml-owasp at subspacefield.org                                                                                      
  To:         owasp-austin at lists.owasp.org                                                                                           
  Date:       08/11/2009 11:41 PM                                                                                                    
  Subject:    [Owasp-austin] OT? web application frameworks                                                                          
  Sent by:    owasp-austin-bounces at lists.owasp.org                                                                                   

So I'm starting up a personal project and I'm trying to decide from
among the gazillion web application frameworks, which I should

The goal is to rapidly produce a web site, because my spare time
is rather limited.  So no C++ or java frameworks really fit my bill.

So far I've heard a lot about Ruby on Rails, obviously (who hasn't?).
Unfortunately I'm a novice at Ruby; I like it a lot, but I'm to the
point where I can write ruby programs, but not at an expert level.
I watched a screencast of someone developing a web site with RoR, and it's
apparent that a knowledge of normal Ruby is not enough; he dizzied me
with what he was doing, I couldn't keep up.  In fact, just reading
the Wikipedia article left me dizzy with the thousands of ways to
do things.

I also have a friend who has done some RoR work, and he actually
prefers Pylons.  This is good news for me, because I've developed
some non-trivial programs in python, and am quite familiar with it.

However, I want to make sure I'm not just choosing the easiest path,
but the right tool for the job, if it's significantly better.

What should I look for in such a web framework?  That is, how should
I decide between the large number of them out there?
Obama Nation | My emails do not have attachments; it's a digital signature
that your mail program doesn't understand. |
If you are a spammer, please email john at subspacefield.org to get
[attachment "attqc5go.dat" deleted by Ernest Mueller/AUS/NIC]
Owasp-austin mailing list
Owasp-austin at lists.owasp.org

Owasp-austin mailing list
Owasp-austin at lists.owasp.org

More information about the Owasp-austin mailing list