5 Years Later: OpenAJAX Who?
Five years ago the OpenAjax Alliance was founded with the intention of providing interoperability between what was quickly becoming a morass of AJAX-based libraries and APIs. Where is it today, and why has it failed to achieve more prominence? I stumbled recently over a nearly five year old article I wrote in 2006 for Network Computing on the OpenAjax initiative. Remember, AJAX and Web 2.0 were just coming of age then, and mentions of Web 2.0 or AJAX were much like that of “cloud” today. You couldn’t turn around without hearing someone promoting their solution by associating with Web 2.0 or AJAX. After reading the opening paragraph I remembered clearly writing the article and being skeptical, even then, of what impact such an alliance would have on the industry. Being a developer by trade I’m well aware of how impactful “standards” and “specifications” really are in the real world, but the problem – interoperability across a growing field of JavaScript libraries – seemed at the time real and imminent, so there was a need for someone to address it before it completely got out of hand. With the OpenAjax Alliance comes the possibility for a unified language, as well as a set of APIs, on which developers could easily implement dynamic Web applications. A unified toolkit would offer consistency in a market that has myriad Ajax-based technologies in play, providing the enterprise with a broader pool of developers able to offer long term support for applications and a stable base on which to build applications. As is the case with many fledgling technologies, one toolkit will become the standard—whether through a standards body or by de facto adoption—and Dojo is one of the favored entrants in the race to become that standard. -- AJAX-based Dojo Toolkit , Network Computing, Oct 2006 The goal was simple: interoperability. The way in which the alliance went about achieving that goal, however, may have something to do with its lackluster performance lo these past five years and its descent into obscurity. 5 YEAR ACCOMPLISHMENTS of the OPENAJAX ALLIANCE The OpenAjax Alliance members have not been idle. They have published several very complete and well-defined specifications including one “industry standard”: OpenAjax Metadata. OpenAjax Hub The OpenAjax Hub is a set of standard JavaScript functionality defined by the OpenAjax Alliance that addresses key interoperability and security issues that arise when multiple Ajax libraries and/or components are used within the same web page. (OpenAjax Hub 2.0 Specification) OpenAjax Metadata OpenAjax Metadata represents a set of industry-standard metadata defined by the OpenAjax Alliance that enhances interoperability across Ajax toolkits and Ajax products (OpenAjax Metadata 1.0 Specification) OpenAjax Metadata defines Ajax industry standards for an XML format that describes the JavaScript APIs and widgets found within Ajax toolkits. (OpenAjax Alliance Recent News) It is interesting to see the calling out of XML as the format of choice on the OpenAjax Metadata (OAM) specification given the recent rise to ascendancy of JSON as the preferred format for developers for APIs. Granted, when the alliance was formed XML was all the rage and it was believed it would be the dominant format for quite some time given the popularity of similar technological models such as SOA, but still – the reliance on XML while the plurality of developers race to JSON may provide some insight on why OpenAjax has received very little notice since its inception. Ignoring the XML factor (which undoubtedly is a fairly impactful one) there is still the matter of how the alliance chose to address run-time interoperability with OpenAjax Hub (OAH) – a hub. A publish-subscribe hub, to be more precise, in which OAH mediates for various toolkits on the same page. Don summed it up nicely during a discussion on the topic: it’s page-level integration. This is a very different approach to the problem than it first appeared the alliance would take. The article on the alliance and its intended purpose five years ago clearly indicate where I thought this was going – and where it should go: an industry standard model and/or set of APIs to which other toolkit developers would design and write such that the interface (the method calls) would be unified across all toolkits while the implementation would remain whatever the toolkit designers desired. I was clearly under the influence of SOA and its decouple everything premise. Come to think of it, I still am, because interoperability assumes such a model – always has, likely always will. Even in the network, at the IP layer, we have standardized interfaces with vendor implementation being decoupled and completely different at the code base. An Ethernet header is always in a specified format, and it is that standardized interface that makes the Net go over, under, around and through the various routers and switches and components that make up the Internets with alacrity. Routing problems today are caused by human error in configuration or failure – never incompatibility in form or function. Neither specification has really taken that direction. OAM – as previously noted – standardizes on XML and is primarily used to describe APIs and components - it isn’t an API or model itself. The Alliance wiki describes the specification: “The primary target consumers of OpenAjax Metadata 1.0 are software products, particularly Web page developer tools targeting Ajax developers.” Very few software products have implemented support for OAM. IBM, a key player in the Alliance, leverages the OpenAjax Hub for secure mashup development and also implements OAM in several of its products, including Rational Application Developer (RAD) and IBM Mashup Center. Eclipse also includes support for OAM, as does Adobe Dreamweaver CS4. The IDE working group has developed an open source set of tools based on OAM, but what appears to be missing is adoption of OAM by producers of favored toolkits such as jQuery, Prototype and MooTools. Doing so would certainly make development of AJAX-based applications within development environments much simpler and more consistent, but it does not appear to gaining widespread support or mindshare despite IBM’s efforts. The focus of the OpenAjax interoperability efforts appears to be on a hub / integration method of interoperability, one that is certainly not in line with reality. While certainly developers may at times combine JavaScript libraries to build the rich, interactive interfaces demanded by consumers of a Web 2.0 application, this is the exception and not the rule and the pub/sub basis of OpenAjax which implements a secondary event-driven framework seems overkill. Conflicts between libraries, performance issues with load-times dragged down by the inclusion of multiple files and simplicity tend to drive developers to a single library when possible (which is most of the time). It appears, simply, that the OpenAJAX Alliance – driven perhaps by active members for whom solutions providing integration and hub-based interoperability is typical (IBM, BEA (now Oracle), Microsoft and other enterprise heavyweights – has chosen a target in another field; one on which developers today are just not playing. It appears OpenAjax tried to bring an enterprise application integration (EAI) solution to a problem that didn’t – and likely won’t ever – exist. So it’s no surprise to discover that references to and activity from OpenAjax are nearly zero since 2009. Given the statistics showing the rise of JQuery – both as a percentage of site usage and developer usage – to the top of the JavaScript library heap, it appears that at least the prediction that “one toolkit will become the standard—whether through a standards body or by de facto adoption” was accurate. Of course, since that’s always the way it works in technology, it was kind of a sure bet, wasn’t it? WHY INFRASTRUCTURE SERVICE PROVIDERS and VENDORS CARE ABOUT DEVELOPER STANDARDS You might notice in the list of members of the OpenAJAX alliance several infrastructure vendors. Folks who produce application delivery controllers, switches and routers and security-focused solutions. This is not uncommon nor should it seem odd to the casual observer. All data flows, ultimately, through the network and thus, every component that might need to act in some way upon that data needs to be aware of and knowledgeable regarding the methods used by developers to perform such data exchanges. In the age of hyper-scalability and über security, it behooves infrastructure vendors – and increasingly cloud computing providers that offer infrastructure services – to be very aware of the methods and toolkits being used by developers to build applications. Applying security policies to JSON-encoded data, for example, requires very different techniques and skills than would be the case for XML-formatted data. AJAX-based applications, a.k.a. Web 2.0, requires different scalability patterns to achieve maximum performance and utilization of resources than is the case for traditional form-based, HTML applications. The type of content as well as the usage patterns for applications can dramatically impact the application delivery policies necessary to achieve operational and business objectives for that application. As developers standardize through selection and implementation of toolkits, vendors and providers can then begin to focus solutions specifically for those choices. Templates and policies geared toward optimizing and accelerating JQuery, for example, is possible and probable. Being able to provide pre-developed and tested security profiles specifically for JQuery, for example, reduces the time to deploy such applications in a production environment by eliminating the test and tweak cycle that occurs when applications are tossed over the wall to operations by developers. For example, the jQuery.ajax() documentation states: By default, Ajax requests are sent using the GET HTTP method. If the POST method is required, the method can be specified by setting a value for the type option. This option affects how the contents of the data option are sent to the server. POST data will always be transmitted to the server using UTF-8 charset, per the W3C XMLHTTPRequest standard. The data option can contain either a query string of the form key1=value1&key2=value2 , or a map of the form {key1: 'value1', key2: 'value2'} . If the latter form is used, the data is converted into a query string using jQuery.param() before it is sent. This processing can be circumvented by setting processData to false . The processing might be undesirable if you wish to send an XML object to the server; in this case, change the contentType option from application/x-www-form-urlencoded to a more appropriate MIME type. Web application firewalls that may be configured to detect exploitation of such data – attempts at SQL injection, for example – must be able to parse this data in order to make a determination regarding the legitimacy of the input. Similarly, application delivery controllers and load balancing services configured to perform application layer switching based on data values or submission URI will also need to be able to parse and act upon that data. That requires an understanding of how jQuery formats its data and what to expect, such that it can be parsed, interpreted and processed. By understanding jQuery – and other developer toolkits and standards used to exchange data – infrastructure service providers and vendors can more readily provide security and delivery policies tailored to those formats natively, which greatly reduces the impact of intermediate processing on performance while ensuring the secure, healthy delivery of applications. API Jabberwocky: You Say Tomay-to and I Say Potah-to OpenAjax Metadata 1.0 and the Adobe Dreamweaver Widget Browser OpenAjax Alliance AJAX-based Dojo Toolkit The Stealthy Ascendancy of JSON JSON Continues its Winning Streak Over XML JSON versus XML: Your Choice Matters More Than You Think I am in your HTTP headers, attacking your application The Web 2.0 API: From collaborating to compromised IT as a Service: A Stateless Infrastructure Architecture Model JSON Activity Streams and the Other Consumerization of IT
SSL certificates Expiration
I run below SSL expiration certifiacate script on LTM with 11.x version ! /bin/bash set acceptable threshold in seconds (172800 seconds = 2 days) threshold=185920000 get today's date this_date= date +%s set path to certificates cert_path=/config/ssl/ssl.crt/ for f in $cert_path*.crt do this_cert_date_literal= openssl x509 -in $f -noout -enddate |sed s/notAfter=// this_cert_date= date -d "$this_cert_date_literal" +%s if [ $this_date -ge $(($this_cert_date - $threshold)) ] then expires_when=$(((this_cert_date - $this_date) / 60 / 60 / 24)) echo "$f is about to expire in $expires_when days" additional processing for expiring certs goes here fi done But get no output as such.Please suggest.
found error "bad option" while blocking specific user agent
Hi team, I got an error like following. Do you have any idea of this? TCL error: /Common/ua_block - bad option "--user-agent=mozilla/5.0 (x11; linux x86_64) applewebkit/537.36 (khtml, like gecko) chrome/32.0.1700.77 safari/537.36": must be -exact, -glob, -regexp, or -- while executing "switch -glob [string tolower [HTTP::header "User-Agent"]] { "sqlmap" - "havij" - "nmap" - "nessus" - "..." I think the case is like the case below... https://devcentral.f5.com/questions/switch-glob-behaviour-when-comparison-string-starts-with-a-hyphen The iRule is like following when HTTP_REQUEST { log local0. "User-Agent:[HTTP::header "User-Agent"]" switch -glob [string tolower [HTTP::header "User-Agent"]] { "*sqlmap*" - "*havij*" - "*nmap*" - "*nessus*" - "*absinthe*" - "*nikto*" - "*w3af*" - "*pangolin*" - "*bsqlbf*" - "*prog.customcrawler*" - "*sql power injector*" - "*mysqloit*" - "*netsparker*" { if { !([IP::addr [IP::client_addr] equals 192.168.XXX.XXX]) } { discard log local0. "[HTTP::header "User-Agent"] discarding." } } } } Thank you for your help.
iRule snippet insertion 11.5.1
Long story short I have an irule to insert some snippets in the HTTP response but instead of inserting the contents of the variables, it is just using the actual string text. The log output shows $y and $stream_expression values as @$head_token@$detection_snippet@ instead of the contents of those variables which check out fine in section 4. Section 5 is the problem area. Any advice would be much appreciated. Section 3: Identify Location Tokens set head_token "" End of section 3 Section 4: Identify Snippet iFiles set detection_snippet "[subst -nocommands -nobackslashes [ifile get Test_locdrive_js]]$head_token" set collection_snippet "[subst -nocommands -nobackslashes [ifile get Test_exout_js]]$head_token" set session_rst_snippet "[subst -nocommands -nobackslashes [ifile get Test_sessionrst_js]]$head_token" set uid_collect_snippet "[subst -nocommands -nobackslashes [ifile get Test_setdata_js]]$head_token" set perm_uid_snippet "[subst -nocommands -nobackslashes [ifile get Test_runvar_js]]$head_token" log local0. "Trusteer-assign snippet variables" log local0. "$head_token" log local0. "$detection_snippet" log local0. "$uri(1)" End of section 4 Section 5: Modify URL and Snippet Array array set snippet_insertion { "[subst $uri(1)]" @$head_token@$detection_snippet@ "[subst $uri(2)]" @$head_token@$uid_collect_snippet@@$head_token@$perm_uid_snippet@ } End of section 5 Do Not Modify foreach {x y} [array get snippet_insertion] { if {$loc == "[subst $x]"} { log local0. "$x" log local0. "$loc" log local0. "$y" set stream_expression $y log local0. "$stream_expression" STREAM::expression [subst $stream_expression] STREAM::enable log local0. "Trusteer enabling stream" } } } } End of 'Do Not Modify' Section End of iRule
Rewriting cache headers before they are used by BigIp
So I have a server behind BigIp that's pretty lame about letting me set cache headers... in short: I can't. So I'd like to try to set the cache headers using an iRule but have them applied before they go through the normal cache processing that BigIp can do. If the resource at http://server.com/foo.js?v=1 should be (it isn't, there's actually no cache-control header): Cache-Control: max-age=31557600, public Is it possible to create an iRule that would have the cache mechanisms currently available for caching content at the BigIp use that header, as well as apply it to any response it sends out?
need help creating an iRule
hi all, Hope you all doing well. Could someone help me with creating an iRule? I would like to create an iRule which will forward all http/https request to go to a URL. For example: abc.com www.abc.com http://abc.com etcc. will all go to https://www.abc.com Here's the current iRule i have but it's re-directing all traffic to https://abc.com . I need it all to go to https://www.abc.com instead. when HTTP_REQUEST { Check if the host starts with www. if {[string tolower [HTTP::host]] starts_with "www."}{ Redirect with the www. prefix removed to the same URI HTTP::redirect "https://[string range [HTTP::host] 4 end][HTTP::uri]" } } Thank you very much for your assistance, JTCan't open java applet component when connecting to the application through Load balancer F5
Hi We have one new building and the workstations are connected to our network. There is two systems that has java applet components that when clicked, it does not load the java applet. But when connecting to the application server node directly, these java applet components are opened. Al other buildings in other locations are working fine even through the current F5. Only this site has the issue !!! Our collegues checked for the workstation configurations and also bring one workstation to our IT department building and connected to same applications through the same F5, it Worked without any issues. I have one system for Oracle applications 12.1 that I enabled the java debugging console. The output showed exception network: Connecting http://hrms.domain.org:8080/ with proxy=DIRECT java.lang.InterruptedException at java.lang.Object.wait(Native Method) at sun.plugin2.message.Queue.waitForMessage(Unknown Source) at sun.plugin2.message.Pipe.receive(Unknown Source) at sun.plugin2.main.client.MessagePassingExecutionContext.doCookieOp(Unknown Source) at sun.plugin2.main.client.MessagePassingExecutionContext.getCookie(Unknown Source) at sun.plugin2.main.client.PluginCookieSelector.getCookieFromBrowser(Unknown Source) at com.sun.deploy.net.cookie.DeployCookieSelector.getCookieInfo(Unknown Source) at com.sun.deploy.net.cookie.DeployCookieSelector.get(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.setCookieHeader(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.writeRequests(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source) at com.sun.deploy.net.DownloadEngine.getJarFileWithoutCache(Unknown Source) at com.sun.deploy.net.DownloadEngine.downloadJarWithoutCache(Unknown Source) at sun.plugin.PluginURLJarFileCallBack$2.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at sun.plugin.PluginURLJarFileCallBack.retrieve(Unknown Source) at sun.net.www.protocol.jar.URLJarFile.retrieve(Unknown Source) at sun.net.www.protocol.jar.URLJarFile.getJarFile(Unknown Source) at sun.net.www.protocol.jar.JarFileFactory.get(Unknown Source) at sun.net.www.protocol.jar.JarURLConnection.connect(Unknown Source) at sun.plugin.net.protocol.jar.CachedJarURLConnection.connect(Unknown Source) at sun.plugin.net.protocol.jar.CachedJarURLConnection.getJarFileInternal(Unknown Source) at sun.plugin.net.protocol.jar.CachedJarURLConnection.getJarFile(Unknown Source) at com.sun.deploy.security.DeployURLClassPath$JarLoader.getJarFile(Unknown Source) at com.sun.deploy.security.DeployURLClassPath$JarLoader.access$1000(Unknown Source) at com.sun.deploy.security.DeployURLClassPath$JarLoader$1.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at com.sun.deploy.security.DeployURLClassPath$JarLoader.ensureOpen(Unknown Source) at com.sun.deploy.security.DeployURLClassPath$JarLoader.(Unknown Source) at com.sun.deploy.security.DeployURLClassPath$3.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source) at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source) at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source) at sun.plugin2.applet.Plugin2ClassLoader$2.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at sun.plugin2.applet.Plugin2ClassLoader.findClassHelper(Unknown Source) at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source) at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source) at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source) at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source) at java.lang.ClassLoader.loadClass(Unknown Source) at sun.plugin2.applet.Plugin2ClassLoader.loadCode(Unknown Source) at sun.plugin2.applet.Plugin2Manager.createApplet(Unknown Source) at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source) at java.lang.Thread.run(Unknown Source) network: Cookie service is not available - use cache to determine "Cookie" network: Connecting http://hrms.domain.org:8080/OA_JAVA/oracle/apps/fnd/jar/fndewt.jar with cookie "HRPROD=rClRylxIBeH_r2yj3qbDh_n8:S; BIGipServerPool-NDC-HRMS-8080=269161644.16415.0000; oracle.uix=0^^GMT+3:00^p" network: Downloading resource: http://hrms.domain.org:8080/OA_JAVA/oracle/apps/fnd/jar/fndewt.jar Content-Length: 2,241,848 Content-Encoding: null We are using BIG-IP 11.0.0 Build 8037.0 Final The issue only happen for that building, all other buildings connecting the same F5 are working fine without any issues. When opening the page directly from the application server, like http://node1.domain.org:8080 , the java applet is downloadable and can be displayed. Kindly advice Thank you C.Exchange 2010 SP3, iApp template 2012_04_06 and Big IP 11.4.1 Build 608.0 - EWS issue
As per subject, is this combination supported? When using APM and Outlook anywhere I am having the following problem: Dec 12 10:06:31 lhr4-lb-01 debug tmm3[9610]: 01490000:7: Enable ECA: select_ntlm:/exchange/exchange-2010-application.app/exch_ntlm_exchange-2010 -application_combined_https Dec 12 10:06:31 lhr4-lb-01 err eca[7202]: 0162000e:3: Invalid argument (/exchange/exchange-2010-application.app/exch_ntlm_exchange-2010-applicat ion_combined_https) Dec 12 10:06:31 lhr4-lb-01 err eca[7202]: 0162000e:3: Invalid metadata (select_ntlm:/exchange/exchange-2010-application.app/exch_ntlm_exchange-2 010-application_combined_https) Dec 12 10:06:31 lhr4-lb-01 debug tmm2[9610]: 01490000:7: Matches RPC Dec 12 10:06:31 lhr4-lb-01 err eca[7202]: 0162000e:3: Invalid argument (/exchange/exchange-2010-application.app/exch_ntlm_exchange-2010-applicat ion_combined_https) Dec 12 10:06:31 lhr4-lb-01 err eca[7202]: 0162000e:3: Invalid metadata (select_ntlm:/exchange/exchange-2010-application.app/exch_ntlm_exchange-2 010-application_combined_https) Looking at this script block, is the object_name correctly formatted in the iApp template? Ntlm-auth requires a specially-named prefix to match a system irule. if { $key == "ntlm,ntlm-auth,combined_https" || $key == "ntlm,ntlm-auth,oa_https" || $key == "ntlm,ntlm-auth,edge" } { regsub ".app/exchange" $object_name \ ".app/exch_ntlm_${app}" object_name }
I need to know how we can alter the default behaviour of Icontrol api, when setting SSL configuration
Its very uncomfortable to use iControl api in an application which is installed in websphere. Reason being below code in Interfaces.java: //------------------------------------------------------------------- // Constructor //------------------------------------------------------------------- public Interfaces() { System.setProperty("javax.net.ssl.trustStore", System.getProperty("user.home") + "/.keystore"); XTrustProvider.install(); } public Interfaces(String hostname, String username, String password) { System.setProperty("javax.net.ssl.trustStore", System.getProperty("user.home") + "/.keystore"); XTrustProvider.install(); initialize(hostname, username, password); } public Interfaces(String hostname, long port, String username, String password) { System.setProperty("javax.net.ssl.trustStore", System.getProperty("user.home") + "/.keystore"); XTrustProvider.install(); initialize(hostname, port, username, password); } As you can see api automatically sets truststore path (System.setProperty("javax.net.ssl.trustStore", System.getProperty("user.home") + "/.keystore");) , It alters default behavior of Websphere. We get following error: [9/19/13 10:47:27:638 MST] 00000022 SystemOut O ; nested exception is: java.net.SocketException: java.lang.Exception: Truststore file does not exist: /home/wsadmin/.keystore We have explicitly set keystore for websphere but still its looking into /home/wsadmin as this is getting set in interface. java. So in short is there any way to unset 'System.setProperty("javax.net.ssl.trustStore", System.getProperty("user.home") + "/.keystore");'
