Ted, en Espanol…

JavaHispano, a Spanish Java/J2EE portal, asked to interview me, and the results are now posted on their website, in both English and Spanish. This marks the third language I’ve been translated to, officially; the first two were official translations of Server-Based Java Programming, to Korean and English. 🙂 (To be specific, it was slightly reformatted for sale in India.)

Martin Perez, who wrote up the questions, did a pretty good job coming up with some questions that just begged for candid answers, like:

    I’m just curious. How can the same man write Effective Enterprise Java and being TheServerSide.net chief editor -without entering to talk about your dark side books 🙂 – at the same time ?


    Considering the different solutions, platforms, products and languages present today. For any enterprise, is open integration the key to survive on the IT world ?

and its followup

    But talking about Web Services, we found them very immature yet, as many standards are opened yet. Will be this the year of Web Services ?

and one of my favorites

    In your book, one of your advices is to not forget rich clients. But, if we look at most of the published books, each nine of ten talks only about web application world. Are really rich clients live and ready for enterprise applications ?

Man, remind me never to do a live interview with these folks! 🙂

Even if you don’t speak Spanish, there’s some other good interviews in English to read, like Jason Hunter on servlets and XQuery, Erik Hatcher on Lucene, Jack Shirazi on performance tuning…. Go check it out.

Kirk Pepperdine blasts the .NET Rocks! show with me, Don and Mark

Kirk Pepperdine recently blogged about his reaction to a .NET Rocks! radio show spot I did with Don Box and Mark Pollack (of Spring and Spring.NET fame). And boy, Kirk holds nothing back in his reaction. Given his candor, I felt it appropriate and respectful to at least recognize his comments and offer up my own reaction.

Kirk opens his commentary with the following:

    In an episode of .Net Rocks, Carl Franklyn interviews Mark Pollack, Ted Neward and Don Box on Java, .Net and the future. The show starts off with Carl practically calling Java programmer Neanderthals because (oh my gosh) we actually had to write code. He then goes on to down play just about every innovation that did not come from Microsoft. Ok, with a show named .net rocks I expected a certain level of propaganda but in this case, the level of rhetoric was so loud that I only continued to listen because I expected the venerable voice of reason, Ted, to speak up.

    and I waited….. and waited…..
    Ted Neward is someone that I’ve admired because of his ability to sit on the Java Microsoft fence and till now, has seem to avoid getting splinters in his ass. But now I wonder if he?s not sacrificing his integrity when he shows up on net talk shows such as this one. Was Ted sitting in silent agreement?

Not hardly, Kirk, but I can clearly remember being on the phone and wanting to make sure that I gave the other two (Mark and Don) their fair share of radio time. See, I have this reputation (fairly earned) for going on for days about a subject, and I didn’t want this to turn into the "Ted Neward show" by just talking and talking and talking…. Kirk notes later that I seemed to have found my voice, but let me be 100% clear and say that at no point was I deliberately keeping quiet out of some political agenda–I just genuinely wanted the other guys, particularly Mark, who was the original guest host when Carl invited me to join, to get some air time. Nothing more than that.

Kirk also says,

    In blatant, no brazen attempt to discredit the usability of Spring, Carl Franklyn asked one question that, just like the one asked of Rumsfeld in Iraq, had all the earmarks of being planted. I say planted because when the panel turned to the much more interesting question or O/R mapping, the host suddenly disappeared from the conversation! Was the panel out of your league Carl? Too hung up in data holders to understand what an object model looks like? And just why where you trying to discredit Spring? Where you threatened that you might actually have to know more than one thing to be functional in the real world?

OK, let me put one thing straight here: Carl is a bright guy, but he knows nothing–less than nothing, in fact–about Java, and Carl was trying to make sure, as any good talk show host will do, that the conversation kept flowing. As one who’s done interviews in the past, you have to prepare some questions, preferably good ones that will keep the guests talking for a while, ahead of time. Carl stopped talking because it became fairly apparent as the show went on that Mark, Don and I needed little–if any–prodding to keep chatting. I am willing to go out on a limb here and say that he stopped talking because the point of the show is for the guests to talk, not him, and he, like any good talk show host, knows that and when it happens, lets it happen. Please don’t bash Carl out of ignorance–he’s a genuinely good guy and I sincerely don’t believe he had any kind of "bash Java" agenda for the show.

    Ted certainly got back on track pretty quickly once the host exhausted his limited knowledge and let the other speak. In a back at’chit, Ted said that the Java community is more open, more prone to injecting things back into the community than Microsoftites are. And no wonder if the reaction to your work is to get slapped in the face by some wannabe radio talk show host! Why suffer the indignation when the Java community will respect what you?ve contributed! Enough bile, onto the question

Again, this wasn’t to put Carl "into his place" or anything–it’s just a genuine explanation of how things work in the Java community that people who live and breathe in the .NET world may not know about. Unless you live in both worlds, it’s easy to believe that the other guys work exactly the same way you do, and let me be the first to tell you, that is NOT the case with these two communities. That’s why I sometimes describe myself as the .NET Ambassador to Java or the Java Ambassador to .NET.

Kirk next hits on an interesting point of the show:

    What happens if you return or pass this. Apparently you end up by passing the dynamic proxies that Spring weaves into your code. Interesting does this mean that code written to the Spring framework cannot use double dispatch and other OO techniques that rely on the ability to perform call backs? From the answers given by Mark this would appear to be the case. As Ted put it, this hasn?t seemed to have been a problem as the Java community hasn’t used the framework like that. Even so, it was admitted by all that Spring maybe a bit broken in this regard.

What Don was referring to is that in COM, when an object is placed into a COM Context, they have to do a bunch of work to make sure that if the object placed in that Context ever returns "this" (the C++ reference-to-self), it’s not the actual raw object pointer but the pointer to the interceptor that invokes the Context gunk first. In EJB, this would be the difference between taking the raw pointer to bean as opposed to taking the handle to the bean–the handle is safe to pass around, the reference itself may not be. And yes, the Java community hasn’t run into this problem nearly as much as the COM guys did, apparently. (The COM space is somewhat out of my depth–I never did any COM work "in anger", so I don’t know how problematic the problem really was. If Don says it was, though, I have a tendency to believe him.)

Kirk then goes on to a lengthy–and good–treatise on O/R mapping, describing his experiences with O/R and to criticize the discussion, ending with this:

    If there is one more major point that Ted missed in his discussion of O/R mapping. Though it was pointed out that Microsoft has very little experience with O/R mapping where as Java has been struggling with it for 8 years or more, it should also be noted that Java and O/R mapping really grew up together. Note that before Java, only TopLink was available as a commercial product. Consequently, Java has made many mistakes while trying to crack this tough nut. As dot net and Java converge, it is clear that Java will need to become more agile while dot net will start to face the enterprise sized questions such as; just how should we persist an object?

In point of fact, the rumor has it that Microsoft has been down this O/R road a couple of times before internally, and that they’ve backed away from it each time for precisely these reasons. And yes, Kirk, you’ve nailed it on the head: both Java and .NET are going to have to figure out how they want to crack this nut, and my vote is for doing it at the language level, although your idea of tackling it at the VM level is also a good one. (The VM approach I think would just be harder to support across versions and across platforms in the case of the JVM.) For what it’s worth, there was an experimental VM from Sun (PJava?) that went down this object-persistence-in-the-VM road, and it was interesting to look at some of the papers that came out of it. (I will probably go back and have another look before too long, though the project stopped work, as I recall.)

Ultimately, though, Kirk (and others) are basically asking me for a detailed Java Vietnam essay, and I promise to deliver one within the next month or so. It’ll probably kick off my new blog system sometime in February or March; be on the lookout to change your RSS aggregators, though I’m going to try and preserve the old links somehow, either by just storing off the old weblogs as static HTML, or by writing a filter to redirect to the new blog where I’ll have ported over the entries (though possibly not the comments, we’ll have to see).

Kirk rounds out with:

    Just to round out the show, the host biles two report writting products (Crystal being one of them) in favor of the Microsoft product. Man, if you have to bash your competitors….

Oh, and Sun or BEA or IBM never bash their competitors? Fact is, Crystal has a seriously negative reputation as a reporting tool, and a LOT of VB programmers have told me that they’d use anything other than Crystal if something else even remotely close to it were available. I haven’t heard this reaction from Java folks nearly as often, and I’m honestly not sure why, except that maybe we never used it as much, being more server-focused and Crystal being more client-focused. *shrug*

In the end, I thought it was a good show, and a good information exchange between two groups that approach the same problems in very different fashion. Did anybody in the Java world suddenly come to embrace .NET because of it, or vice versa? No, but that wasn’t the point of the show, either, and to assume that anything that has ".NET" in it is a thinly-veiled attempt at evangelism is to make some serious false assumptions regarding the people in the .NET world.

Still think all ‘Softies are evil?

From Bryan Keller’s weblog, from the 13th of this month:

    We received a mail today highlighting just some of Microsoft’s contributions to the tsunami relief fund. I think it’s amazing the amount of generosity the people at this company show. Here’s a snippet of the email:

        As Steve announced in his e-mail of December 30th, Microsoft has made an initial contribution of $2 million to relief and recovery efforts. We also estimated that we would donate an additional $1.5 million to match employee contributions. While we still await comprehensive figures from our international subsidiaries, partial reporting shows that to-date employees have contributed more than $1.8 million, which Microsoft will match. Offices around the world are raising funds in a variety of ways; in EMEA, employees contributed $420,000, to date. Microsoft India reports that 70% of employees have pledged a day of their salary for the relief efforts. These are just two examples of the generosity of our employees.

    That’s an average of $112 per employee, in addition to whatever money people donated separately from our internal matching drive. That makes me pretty proud to work here.

Now THAT’S community involvement.

Folks, I dunno about you, but I’m deeply humbled and impressed that 70% of all the employees at Microsoft India surrendered a day of their salary to the tsunami victims. That’s just awesome. I echo Clemens’ sentiments: "Since my time will be auctioned, too, I can already promise that I will employ a rather liberal interpretation of "hour" if we get enough money in."

“This XML over HTTP thing was supposed to be easy”, he says…

From the Java quarter, a suggestion that those who "are creating a publically available webservice", to "make sure it is available over HTTPS and encourage people to use the HTTPS version":

    There are way too many badly behaved firewalls and proxies (from companies that should know better) that munge things in ways that are very hard to debug. … For instance (just as a totally random example that I swear has caused me no pain what-so-ever over the last few weeks…), Checkpoint’s NG55 firewall has built in "Cross Site Scripting Protection". Unfortunately, it failes to check MIME types, SOAP actions or ever the user agent header – it just blindly drops any content that contains various defined keyword. It’s a stupid, stupid idea (especially since it doesn’t seem to check unicode versions on the same strings) that is best protected against by running over HTTPS.

Unfortunately HTTPS only protects during part of the story–and it only works with HTTP. Transport-level security only protects the data while it’s in transit, and with a growing adoption rate of Web services comes a growing movement to use other transports as well. (Question for those who think HTTPS is enough to secure your Web service: Where do most credit card numbers get stolen from? Answer: the database, where HTTPS/SSL has no effect whatsoever.) This is why WS-Security (and its related specifications) were created, and unfortunately is a sign that Web services are "growing up".

I’m sorry you got sold the bill of goods that said that "XML over HTTP" was supposed to be easy–it’s only easy so long as you did simple things with it. This is what REST is all about, for example. But as we start to use something good, we start asking more and more of it (like to be secure as the data travels in transit), and that’s when the harder stuff starts to creep in and everything gets complicated again.

After all, it wasn’t that long ago when we were happy just to have TCP/IP standardized across the network–after all, how hard can it be to open() a socket and read() and write() to it?

More on “XML over HTTP”

A couple of comments on that post deserve further response:

    Matt wrote:

        How would WS-Security improve the CC#-stolen-from-the-database scenario?

    Depends on how you want to look at it. If the database in question is the "final repository" for the credit card, it probably won’t. But if this message is resting in the database (or on the filesystem, or….) while waiting to be processed, then WS-Security will help, because it secures the entirety of the message, not just while the message is traveling across the network (which is what SSL buys you).
    An anonymous commenter wrote:

        Ted, While I agree that SSL is not the end-all in security I think you missed the point of your quote. The poster was trying to explain that since SSL does encrypt its payload it has the benefit of preventing well meaning yet fundamentally flawed intermediaries from acting upon the data they’re supposed to be delivering. The firewall in this instance.

    An "intermediary" that wants to act on the payload isn’t really an intermediary anymore, but a processing node in its own right that participates in a workflow chain. An intermediary certainly has the right and responsibility to affect the message headers, but not the payload itself. To say that SSL provides the "benefit" of preventing well-meaning intermediaries from doing this is to hide the ill-behaved nature of the intermediary itself, and doesn’t properly address the problem.