I had always thought so but in the last week I’ve concluded with dynamite determination that logging abstraction is completely pointless. No. Benefit. Whatsoever. Could I be mistaken? No, if anything you’re probably still hanging on to Commons Logging because somebody told you how great it was, I don’t think anyone in their right mind would, after taking a step back and looking at the circumstances say, Hmmm, I really need to be careful and not commit myself to Log4J because God knows when Mark Womack and his team might pack it in and leave me hangin’. The same people who name their first born after Commons Logging classes commit themselves to products like IText, JFreeChart and GodKnowsWhat without ever thinking about abstraction. Raise your hand if you’re ever used IText and considered what happens if you want to switch your PDF generation tool? Nobody? So why the hell do we care so much about logging?

Luckily the answer is as simple as it is stupid: making a logging tool is so freaking easy that everybody’s got a homegrown one which they swear by and would never ditch even if they were offered ass in return (this just in, Logger just won the most used classname ever, it beat out Tester). So instead they use Commons Logging which gives them the feeling of not being such a big idiot with the added bonus of sleeping well at night knowing that they could eaaaasily switch to Log4J if they wanted to. What these poor saps don’t know is that switching between logging tools isn’t even that easy regardless of the abstraction, you still have to worry about configuring your tool which is a major pain in the ass if you want to actually stick to the proper log levels. Besides, nobody’s switching to anything, once you pick a logging framework you stick with it until the application is dead. Period. No exceptions. And if you happen to be switching your logging implementation so frequently that you need abstraction you suck at design and product evaluation.

Do you really care which of the two following imports you’d rather have shit on your code: org.apache.commons.logging or org.apache.log4j. Unless you have a thing for using commons packages (and some people do) you probably don’t give a rats ass. So with that in mind why don’t we save ourselves some trouble and just use Log4J, and as a bonus I’ll throw in the pro of Tomcat not barfing every time it sees two commons logging jars in its classpath, God forbid if they’re two different versions because then it starts giving you errors that make you regret ever even getting into Java.

The only way to beat Log4J is to have something out of the ever so trustworthy java.* packages do the logging for you. Luckily there’s JULI which is really great but unfortunately it’s documented about as poorly as Guice and isn’t marketed nearly as aggressively as that retard Duke (I really hate that son of a bitch, looks like a tooth with a big cavity). Besides, anytime anyone asks you to modify something in the JAVA_HOME directory to configure something red flags go up. Somebody please document how to load a config file from your classpath without specifying a -D option in JAVA_OPTS. I mean I’m configuring logging, not optimizing my garbage collection, yeeeesh.

This post has moved to here.

Due to a family emergency, I’ll be on hiatus till at least August 30th.

So you’ve been working away at your development job for God knows how long and there’s no end in sight to your misery. There’s no chance of moving up in the company and although your bosses like you, they don’t think much of you. They’re happy with what you’re doing as long as you do it quietly, deliver in the whereabouts of your deadlines, show up to the company picnic and stay out of any real decision making. You’re taking up more and more responsibilities over the years but your pay is only being raised by a paltry 2% while the cost of living is going up by 5. You know you’re being fucked but are too lazy or incapable of doing anything. So what do you do? You change your title of course.

Read the rest of this entry »

This post has moved here.

This post has moved here.

Here’s the second part of my rundown of Webware’s “best web apps“. Check out the first installment if you haven’t already. Here are the offenders:

Windows Live Hotmail: In other words, Hotmail. All the power to the guy who invented Hotmail and blew open the doors to internet communication, its just too bad Microsoft has since ruined Hotmail by first a) not improving it for the first five years after acquiring it and b) by handing the renovation project over to a bunch of monkeys who insist on making it look more like Windows, only slower. Just like anything else webby, Microsoft was late in pumping out a proper email platform and when it finally did, it forgot to copy Gmail properly. Instead it took the approach of copying Gmail and at the same time keeping components of the already crappy Hotmail intact. Bad move. I don’t want to right click to select multiple messages, we do that with checkboxes on the web. The Spam filtering is still brutal and the emails that you actually want to receive end up in the Junk folder (something that has NEVER happened to me with Gmail) or you’re forced to click pointless buttons like “Show Content” and “Mark as Safe” even for emails sent by your Mom. The interface shifts more often than Alberto Gonzales and 20% of the screen is taken up by an ad.  The concept of tags still hasn’t caught on and you’re forced into segregating content into folders.  If you have any integrity you should stop using Hotmail.

Windows Live Messenger: In other words, MSN. I still have a copy of 4.1 on my machine, see that’s where the product stopped being chatting software and turned into a slow and bloated commercial about other Microsoft services. Throw in links to date.com, some trashy horoscope sites, an MSN Today popup that should never have seen the light of day and you end up with Windows Live Messenger – the crappiest chatting software in the world. It must’ve been a slow year for Webware to select this piece of trash in their top 500. The problem with this thing is that it doesn’t know who its catering to so it tries to please everyone: huge emoticons, whiteboards, limits on how much an be typed, multiple contact groups, bulky user interface, games, celebrity gossip, all send mixes messages to someone who’s just trying to tell his wife to pick up some bread when coming back from work. Death to Messenger.

Flickr: OK, you have to understand that unless you have a pro account Flickr is about as useless as an appendix. Here are some of the restrictions: only three albums allowed, 100MB upload per month and here’s the kicker: You can only display 200 images at any given point! The last restriction pretty much encapsulates the first two rendering the entire product worthless for anyone who takes say 10 pictures a month. So much for the “Flickr loves you” slogan, a more appropriate one would be “Buy the pro account!”. Sure there’s some nice stuff, RSS feeds and of the sort but if you’re going to spend your money, don’t give it to Yahoo, they’re rich enough. Try SmugMug which is vastly superior and run by people who genuinely care about your user experience (use vz6dRtcdUp91g as the coupon code to help a brother out). If you’re too cheap to spend money on photography storage, PhotoBucket is still better than Flickr. They don’t have a great uploader but thanks to the people at Flock, that’s been taken care of.

MyPunchBowl: Again with the modal boxes. Go there, sign up, and try to add an event, then tell me what you think of the site. The love affair with Lightbox continues as it seems every alternate form is using it regardless of whether the usage is justified. Maybe its something about the screen dimming after you click on a button that gets developers and marketing folks all wet in the pants, either way it’s getting to the point where usability is being sacrificed for the sake of using a gimmick. Also, since when did it become so cumbersome to click “Edit” and then start typing that people have resorted to making multiple text boxes and textareas disabled only to bring them to life after an unintuitive click, thereby wasting away any sort of tacit knowledge the user might’ve had. Where and when did this design principle pop out? A site that is dead simple in the functionality it offers is made to look like a 70 year old whore in 5 inch heels.

Wink: This sight is a little scary. It’s a people search that searches social networks such as MySpace, Bebo, LinkedIn and Friendster to suck any information about the unfortunate soul whose name was typed. Apparently the privacy agreements you sign on some of these sites allow third party apps to search their databases, pull up personal info including photographs and display it to ANYONE, something that might not be apparent at first glance. Remember the times when it was cool to use an image for a button? Well that practice is still acceptable as long as the result is somewhat pleasing to the eye. Don’t tell that to the designers at Wink, they love to use buttons with gradients that bring you all the way back to 1998 making you wonder where the colored scrollbars which would make the experience complete are. The app doesn’t search Facebook so its pretty much pointless.

I was checking Webware’s finalists for something called the “best web apps” of the year and the first thing you notice is that almost every site on there is named like a pet that you might’ve once owned which later turned into roadkill. Some of the gems to be found include Zillow, Zoho, Bebeo, Meetro, Yoono, Ning, Geni, and the list continues. Curiosity got the better of me and I started on a journey of trying out some of the “best web apps” and trying to figure out how they can help me make my life complete or at least give me a better way to waste my time. So here’s what I thought of them:

MyBlogLog: This is what you call a regurgitated idea that’s been wrapped around an interface so ugly that it makes MySpace look like modern art. Here’s how it works: they beg you to link a JavaScript file in your code and then proceed to collect stats off of it, something Web Side Story did from the beginning of time and something which is replicated by AWStats to near perfection. If you’ve got a WordPress blog or anything other than Blogger, don’t bother with this crap. Oh yeah, as soon as you sign up some guy named “Eric” automatically becomes your “friend” and introduces himself as one of the owners of this operation. Funnily enough, judging by his last login date, he himself hasn’t logged in to this misadventure in over four days. But I encourage everyone to sign up and look at the “Edit Profile” page and tell me if you’ve ever seen a form so ugly and hideous.

Tangler: It doesn’t even matter what this site does. Its blatant rape of Ajax is so apparent that you just want to disable JavaScript for kicks and see how it reacts. Here’s a sign of bad design: you clicked on a main menu option and a “loading..” sign pops up while it fetches a static submenu. WTF? The site is generally agonizingly slow and I don’t really know who to blame for it, maybe its their adoption of the Yahoo API instead of Google Analytics thats pushing it down the toilet in terms of speed. The idea of the site (not a bad one) is to have all your discussions in one place, the execution however lacks the simplicity required, no, demanded by such a venture.

Venyo: This site lets you build and ruin reputations and calls itself the “web 2.0 trust provider”. You’re supposed to build a “trust index” until people stop thinking you’re a pedophile and finally allow you to comment on their blogs. People on this site have their trust settings such that you can see their first name, their last name, a close-up picture but NOT their username. This is how they justify their existence: “The lack of trust has always been an issue on the Internet and it will not get better with the emergence of new collaborative services particular to Web 2.0.” Building trust on this site means jack squat, hire 100 people in India, pay them a dollar each and you can run for president.

Squidoo: What do you call a blog without calling it a blog? A lens. As you strive and suffer your way towards becoming a “Lensmaster” you’ll realize that if you have to wait five seconds for a piece of content to load through Ajax and stare at the words “drumroll please” for the entire duration, it’s probably wiser to just load a new page. Much less aggravating. The site is trying to persuade its audience that its something different, cool and better, but in the end you’ll find out that is nothing but a slow, badly designed and introverted blogging software that wishes it was a wiki.

Platial: Another site which misuses Lightbox. By now I’ve lost count and am beginning to second guess a personal decision to allow Lightbox in an app that I’m currently working on. Make a map of your life! Doesn’t that sound exciting? For most of the blokes that means to work and back but Platial.com is counting on the world traveler amongst us to make it a success. But there’s only so much you can do when you’re relying entirely on Google Maps to do all the work for you; this idea sounds great in theory but practically speaking, it doesn’t work. The process of “adding places” to your map is not intuitive and the Ajaxy features such as searching for places isn’t thought out. Note to Platial: Only popup modal boxes when the user somewhat expects them! Wayfaring.com is much better but it doesn’t matter because Google just pwn3d both with MyMaps.

Yelp: Here’s an idea that isn’t half bad: Bitch about all the bad food you’ve ever eaten. How eager was I when I hit the Sign Up button only to have the door slammed in my face as my Canadian postal code was rejected. Maybe another time, another place.

Here’s Part 2.

This post has moved here.

[digg=http://digg.com/programming/Internet_Explorer_s_love_for_caching_Ajax_calls]

This installment of Why IE Sucks? is dedicated to the innocent and virtuous developer who has spent hours and hours wondering why their Ajax calls are returning data so stale that it’s inedible to the point of being deadly. Here’s the scene: if you’re using Prototype or Scriptaculous and are wondering why Ajax.Updater or Ajax.Request are “not working” and the server-side call is never being made, relax there’s nothing wrong with what you’re doing, it all has to do with IE’s sick love of caching.

Firefox and any other browser made by developers possessing an IQ of over 50 don’t have this this “feature” as IE likes to call it. The easiest way to avoid this is to not make GET calls at all using Ajax.Request or Ajax.Updater, instead use POST and you’ll be fine. If you’re hell bent on using GET, you will have to make every call made to the server unique. The fastest and easiest way of doing this for me is to append a random number at the end of the query string. In other words, use the parameters option from Ajax.Options and throw in a random number as one of the request parameters:
[sourcecode language='jscript']
new Ajax.Request( ‘myPage.html’, {
method: ‘get’,
parameters: {
differentiator: Math.floor(Math.random()*50000)
}
});
[/sourcecode]
As nasty and laughable as the above code is, it works since your final URL will always be something like mypath.html?differentiator=25632 courtesy of the random number being generated. Again, all this can be avoided by just using ‘post’.

So why does IE go out of its way to break our balls? It’s the philosophy of assuming your customers have the exact same needs as the developer who made the piece of software. You’d think after making life miserable enough by not having a debugger for JavaScript, they’d go easy on us when it comes to the most basic things of web development but no, every sweat or tear extracted is a penny earned for Microsoft.

This post has moved here.

Hopefully this entry serves as some decent documentation on how to write a Python client that accesses a web service which uses WS-Security. When I was trying to figure it out, Otu Ekanem’s response on the mailing list was invaluable. The example is relevant for any web service framework independent of programming language. This is tested with XFire 1.2.4 but can be used with .NET or other Java web service frameworks like Axis2.

When accessing a web service which has WS-Security enabled you must send very specific headers as part of your SOAP envelope in order for the request to be processed. You can read all about the glorious specification in PDF Format if you like. I’m using the Zolera Soap Infrastructure (ZSI) Library for Python which supports client stub generation. Given the generated stubs, there are two ways of adding custom headers to outgoing SOAP messages.

Method 1 – Not desirable but worth a mention

The first method involves modifying the generated code which is highly undesirable. Using the very simple SportsService web service example, you must modify the generated SportsService_client.py and edit the following line:

[sourcecode language='python']
self.binding.Send(None, None,
request, soapaction=”", **kw)
[/sourcecode]
to read
[sourcecode language='python']
self.binding.Send(None, None,
request, soapaction=”", soapheaders=(obj1,obj2) )
[/sourcecode]
where obj1 and obj2 are instances of Python objects which are serialized as part of the SOAP header. I found this way to be tedious as you have to design your classes to match the SOAP header and write additional serialization code. It is also hard to create the exact header as namespaces and prefixes tend to be a problem.

Method 2 – Probably the way to go, way more customizable

We can use DOM-like methods to modify the SOAP header and send out exactly what we need. The example implements the UsernameToken strategy but other ones can also be implemented by modifying the headers in a similar manner. The generated Port class’ binding attribute has a sig_handler attribute which can be assigned an instance of a custom class. In this custom class, we must implement two methods, sign and verify, that can modify the header and check it’s validity, respectively. The sign method takes in as argument a SoapWriter which enables us to modify the header. So without further ado, here’s the class that adds WS-Security headers to the outgoing SOAP envelope as discussed above. The code has been formatted and modified to fit the page.

[sourcecode language='python']
# Deprecated in 2.5, use the hashlib module instead:
# http://docs.python.org/lib/module-hashlib.html
import sha

import binascii
import base64
import time
import random

class SignatureHandler:

OASIS_PREFIX =
“http://docs.oasis-open.org/wss/2004/01/” +
“oasis-200401″

SEC_NS = OASIS_PREFIX +
“-wss-wssecurity-secext-1.0.xsd”
UTIL_NS = OASIS_PREFIX +
“-wss-wssecurity-utility-1.0.xsd”
PASSWORD_DIGEST_TYPE = OASIS_PREFIX +
“-wss-username-token-profile-1.0#PasswordDigest”
PASSWORD_PLAIN_TYPE = OASIS_PREFIX +
“-wss-username-token-profile-1.0#PasswordText”

def __init__(self, user, password, useDigest=False):
self._user = user
self._created = time.strftime(‘%Y-%m-%dT%H:%M:%SZ’,
time.gmtime(time.time()))
self._nonce = sha.new(str(random.random())).
digest()
if (useDigest):
self._passwordType = self.PASSWORD_DIGEST_TYPE
digest = sha.new(self._nonce + self._created +
password).digest()

# binascii.b2a_base64 adds a newline at the end
self._password = binascii.b2a_base64(digest)[:-1]
else:
self._passwordType = self.PASSWORD_PLAIN_TYPE
self._password = password

def sign(self,soapWriter):

# create element
securityElem = soapWriter._header.
createAppendElement(“”, “wsse:Security”)
securityElem.node.
setAttribute(“xmlns:wsse”, self.SEC_NS)
securityElem.node.
setAttribute(“SOAP-ENV:mustunderstand”, “1″)

# create element
usernameTokenElem = securityElem.
createAppendElement(“”, “wsse:UsernameToken”)
usernameTokenElem.node.
setAttribute(“xmlns:wsse”, self.SEC_NS)
usernameTokenElem.node.
setAttribute(“xmlns:wsu”, self.UTIL_NS)

# create element
usernameElem = usernameTokenElem.
createAppendElement(“”, “wsse:Username”)
usernameElem.node.
setAttribute(“xmlns:wsse”, self.SEC_NS)

# create element
passwordElem = usernameTokenElem.
createAppendElement(“”, “wsse:Password”)
passwordElem.node.
setAttribute(“xmlns:wsse”, self.SEC_NS)
passwordElem.node.
setAttribute(“Type”, self._passwordType)

# create element
nonceElem = usernameTokenElem.
createAppendElement(“”, “wsse:Nonce”)
nonceElem.node.
setAttribute(“xmlns:wsse”, self.SEC_NS)

# create element
createdElem = usernameTokenElem.
createAppendElement(“”, “wsse:Created”)
createdElem.node.
setAttribute(“xmlns:wsse”, self.UTIL_NS)

# put values in elements
usernameElem.
createAppendTextNode(self._user)
passwordElem.
createAppendTextNode(self._password)
# binascii.b2a_base64 adds a newline at the end
nonceElem.
createAppendTextNode(
binascii.b2a_base64(self._nonce)[:-1])
createdElem.createAppendTextNode(self._created)

def verify(self,soapWriter):
self
[/sourcecode]
Example usage of this is:
[sourcecode language='python']
from SportsService_client import *
from SportsService_types import *

locator = SportsServiceLocator()
port = locator.getSportsServiceHttpPort()
sigHandler = SignatureHandler(“user”, “password”, True)
port.binding.sig_handler = sigHandler

request = getMascotRequest()
teamObj = ns0.Team_Def(“Team”)
teamObj._name = “toronto”
request._team = teamObj

response = port.getMascot(request)
print response._out._name
[/sourcecode]
As you can see the SignatureHandler class is implementing an “interface” which enables it to process outgoing SOAP Requests. The verify method is empty but can contain code to check whether the SOAP header is valid.

If you would like write a PHP client that accesses a WS-Security enabled service, you should read Kim Cameron’s IdentityBlog entry which has links to the source code needed. If you simply want to use a PHP client for a non WS-Security web service, an earlier blog entry covers that.