- We design and build extraordinary applications for companies looking to make the next great idea a reality.
- learn more
Ajax and Leaky Business Logic
I gave my presentation last evening to a welcoming Chi2 audience. The attendees were a good mixture of developers, designers and business folks. They sat through my rantings on why I thought Rich Interaction Applications (RIA) in AJAX should be developed with server-side component based GUI's, though, in a pinch, I could see the argument for client-side component based GUI's that use the back-end as a dumb data web service. Then I showed them what 150 lines of Java code could do in the Echo2 framework with my special "why would you do things this way" stock quote app. Lot's of dragging and dropping ensued.
I'll put the presentation and the demo up when I get a chance.
One of the more interesting and probing questions after the talk was about business logic leakage, i.e. how does a server-side component GUI (SGUI) keep you from leaking business logic? The answer is simple: with the SGUI, the only "logic" that makes it to the browser is "turn this area blue," "move this button over here," and "make this element draggable." While I suppose it is possible to leak business logic in this way, I'd have to say that the possibility is pretty remote and esoteric, akin to sending smoke signals.
In the pseudo hand-coded world of traditional webapp development, you are dependent on developers following good practices and not making mistakes, such as leaking the secret sauce in their Javascript validation logic. At least you hope they do. If the last 50 years of software development practice have taught us anything, it's that hope is not a plan.
There are two kinds of information leak -- what and how. "What" is your customer data, your orders, your accounts receivable, your employee database. The "how" is your secret sauce, the special way of pricing or quoting or doing that gives you a competitive advantage. Reports can leak the "what," and many businesses can survive a leak of quite a bit of "what," but leak the "how," your secret sauce that makes you money, and you're cooked. Javascript can leak the "how" if you let it.
Michael Mahemoff feels it's sometimes OK to include business logic in the Javascript:
I realise there are plenty of problems with Javascript business
logic, and it’s certainly not always applicable. Those problems include:
- Security - Exposes business logic algorithms and enables them to be changed.
That first bit applies to most all valuable services that a company might provide. If all you're providing is data, then no business logic would be leaked. If you are performing some sort of business logic on the data, it would have to be something pretty trivial to still have value and not be a divulging of the crown jewels. Can a business consist of a bunch of ultra trivial, obvious logic and still be competitive? Probably not. In short, I can't imagine the circumstances where that first item wouldn't just preclude exposing most any business logic.
Comments: 3 so far
Leave a comment
About Pathfinder
Recent
- Ruby on Rails with Windows - How I made it work
- Project Website Part 5: Morph in 11 steps or so
- Papervision3D 2.0 (Great White) in Flex 3 (Part II & III combined) with source code
- What’s In Your Dock?
- Why Chicago is Rails-town, USA
- More on Crockford’s and Flanagan’s approaches to JavaScript
- “Ajax overhaul, Part 4: Retrofit existing sites with jQuery and Ajax forms” now live at IBM developerWorks
- Integrating Design Drafts Into Your Rails App
- LINQ to My Domain
- Restlet Ported to GWT
Archives
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
- August 2006
- July 2006
- June 2006
- May 2006
- April 2006
- March 2006
Topics
.NET
3d
3D GPS
Accessibility
actionscript
activerecord
Add new tag
ADO.NET Entity Framework
Adobe
Adobe AIR
Advertising
agile
Agile Development
AIR
Ajax
Ajax Applications
Ajax Bookmarking
Ajax Components
Ajax Development
Ajax Examples
Ajax Frameworks
Ajax Intervention
Ajax libraries
AJAX Obfuscation
Ajax Performance
Ajax Products
Ajax Tools
Ajax Widgets
Analysis
Android
Announcement
Announcements
antennae
Apollo
Application Architecture
Application Development
ASP.NET
Asynchronous Processing
awards
Back Button
Benchmarking
Best Practices
BitmapData.draw
BJAX
Blaze Advisor
blog
blogging
Books
Browsers
Business Reasons for Ajax
Business Rules
C#
Canvas
Case Studies
Chicago
CMS
COBOL
Code Generation
Color
COMET
Conference
Consistency
Content Management
CRM
CSS
Custom Flex Component
Degrafa
Design
Design Patterns
Desktop
Desktop RIA
Developer's Notebook
Diagnose
Dojo
Domain Knowledge
Drools
Echo2
Echo3
Editorial
ERP
Ethnographic Research
Ext JS
Facebook
FileReference
Firefox
Firefox Extensions
Flash
flash awards
flash player 10
Flex
flexunit
Flow
Frameworks
front end development
Games
Gauge Component
Google
Google calendar
Google Gears
Grails
Graphics
Greasemonkey
Groovy
GStreamer
Gwittir
GWT
Healthcare
Hibernate
IDE
Ideation
IE
IE6
IE7
IE8
ILOG JRules
Information Architecture
Innovation
Instructional Design
Interaction Design
Interview
iPhone
iTunes
Java
Javascript
JavaScript frameworks
Javascript Libraries
JBoss Rules
Jess
Jetty
Jobs
jQuery
JSF
JSON
JSR-94
Lazlo
Legacy Systems
LinkedIn
LINQ
Logical Model and Conceptual Model
Mac
Mash Note
Mashups
MetaWidget
Methodology
Microformats
Microsoft
Mobile
Mootools
Mozilla
Music
MVC
MySql
Object-Oriented
Object Relation Mapping (ORM)
Office
Open Screen
Open Source
Opera
ORM
pagination
Pair Programming
papervision3d
Patterns
Peer Creation
Performance
Personas
PHP
plugin
process
Web/Tech
Progressive Enhancement
Project Website
Prototype
Prototyping
PV3D
QA
qooxdoo
Radiant CMS
rails
Really Simple History
References
Requirements
Requirements
Alice Toth
Requirements Visualization
Restlet
RETE
Review
Rich Interactions
ruby
Ruby on Rails
SaaS
Safari
San Francisco
Scalability
Scenarios
Scriptaculous
SDLC
Search
Security
Selenium
Semantic web
SEO
Server Side
Silverlight
SOA
Social Networking
Software Processes
Songbird
Sprajax
Spreadsheets
Standards
Story Telling
Struts
Task Flows
Test Driven Development
Testing
Tilt Component
Tools
Training
Trends
Tumblr
Tutorial
Tutorials
Unit Tests
Usability
Usability Testing
User Experience
user experience design
user interface
User Interface Standards
User Research
UXD
Video
Visualization
VLC
Volta
Web/Tech
Web 2.0
Web Design
Web Development
Webkit
Weblogs
Web Services
Web Standards
Widgets
will_paginate
Windows
Wireframes
WordPress
workflow
XML
XML Metadata
XUL
Yahoo Map AS3 API
Zeigarnik
Zeigarnik Effect
ZK
Assuming that one does a good job of keeping business logic on the server, then there are (at least) two approaches to complex browser-based UIs. One would be sending UI update commands to the client (which is what I think you mean when you refer to SGUI) and another approach would involve shipping the post-business logic model data to the server (as JSON or XML) and letting the javascript client be smart about how to deal with it. Obviously, sending UI component update commands to the browser makes the “what” harder to extract for anyone trying to scrape the site. But then again, by passing UI update commands back to the browser, then you’ve introduced a dependency between your server code and your client code which means every change to a client could require a change to the server. Anyway, I’m curious…where would you recommend drawing the line?
Comment by scott, Thursday, April 27, 2006 @ 2:07 pm
I’m not sure it matters where you draw the line here. The two scenarios are similar enough as to make the decision a practical implementation question. Either you are shipping DOM update commands to the client side engine, or you are shipping data which the client then processes into DOM updates.
Nothing precludes your framework from implementing something like this. For example, the classic MS data grid could be implemented either way.
The real concern is where to draw the line with regard to the business logic. Sadly, the trusted environments where you could use client-side logic usually have the best performance, while untrusted, remote environments usually have the worst.
Comment by Dietrich Kappe, Monday, May 1, 2006 @ 4:34 pm
Storing of rules in the browser is a big concern for many IT folks. SmartForms for Blaze Advisor is one product, though there may be others, that can address this while still providing a rich rules-driven interaction. The rules in SmartForms are not visible on the client because the rules are compiled into XPath expressions loaded into memory. The users can not view the source. SmartForms does not generate any JavaScript code for a specific form. The output of the Smartforms is a set of XForm pages+ XSL transforms and CSS files. No JavaScript is used for rule enforcement; rather SmartForms uses the XForms constructs and the XPath expressions for validation and rule enforcement. Using this design approach no validation logic is exposed to the client. End users will not be able to see the validation logic because the logic is managed by the form models which reside in the browser memory, The only information that an end user would be able to see are the compiled XPath statements and XForm constructs and the constructs can mask these as well.
http://edmblog.fairisaac.com/weblog/2006/05/business_rules_.html
Comment by James Taylor, Wednesday, May 10, 2006 @ 5:45 pm