Michael Klucher just posted about XNA Game Studio 4.0 for Windows Phone. It has its first outing at GDC in San Francisco this week. For more on Windows Phone 7, here are a number of people from the Windows Phone 7 Series Dev Team on Twitter: (@ckindel...(read more)

The concept of creating vision videos to sell an idea has been around since there has been cameras and specially TVs. Just like today Microsoft publishes a Health future vision video, 50 years ago people were also pitching the “Hospital of the Future”...(read more)

We are pleased to announce that a beta version of Ext JS 3.2 is now publicly available. 3.2 introduces a number of exciting new components and adds great new capabilities to your existing applications.

When I started working with Qt back in 2003, what appealed the most to me was the network and GUI parts. The network part because I love network programming and have ever since I started with programming. The GUI part because of my demo scene background, but also because I never managed to get a working GUI for my apps, I just didn’t have the patience to learn all the different platform specific (horrid!) APIs. I’m a bit lazy in that way. Being a huge Linux fan didn’t make the situation better. And there was Qt, making it easy and consistent. For a C++ programmer, GUI programming with Qt on the desktop was and is just wonderful. There’s a problem though, and I’ll make a bold claim. Most programmers aren’t that much into making good and fancy GUIs. We can cope with assembling them, perhaps, and it feels great to present a functional GUI to your grandma (”I made it, ‘ma!”), but at least I get a headache whenever somebody suggests that I redesign the GUI because of this and that principle. I’m a programmer. Fiddling with a GUI just isn’t my thing.

These days we are seeing a paradigm shift in the way UIs look, and how they are written. Yes, I used the term “paradigm shift” ;-), kudos to Thomas Kuhn ;-). One of the most misused terms in our times, it’s a typical manager buzzphrase that doesn’t make sense unless you really don’t care (just translate it into “awesome new stuff”, now it makes sense) or if you know what it means. In this UI context it actually works though ;-). I don’t know if I know what it means but I’ll explain what I think it means. If this interpretation changes, then that will just lead to infinite terminology recursion but enough about that. People talk about paradigm shifts when you change your entire view of how something works. It’s really about leaving your comfort zone and looking at things with completely different eyes, and then maybe wondering how on earth you could have seen things differently in the past. “I want to be a lumberjack!!” These shifts happen at different levels of impact but you see them all around you. I think they are often seen in places where the world takes a huge leap forward somehow. I can think of a number of examples (”fatherhood”) but I’ll leave that as an exercise to the reader ;-).

On the UI front, designers are taking over. Tools and languages are improving, and the graphical designers, who have been at the mercy of programmers in the past, are not going to be anymore. As for programming languages, we’re going to see less need for compiled code and traditional APIs. Less of the imperative way of thinking (the programmer’s way) and more declarative. Who cares which button is added to the layout first or second, in whatever order? Nope, it’s about how the designer wants it to look, and behold, it ends up exactly as the designer wants it. Also, the designer doesn’t expect his UI to perform badly. That’s going to seen as a bug in the framework.

I’m a programmer, and us programmers aren’t ending up unemployed. I don’t think designers can or should go much beyond the design. What I do think is that programmers will be forced to write even more UI-agnostic code than they have in the past. Instead of writing C++ code that toggles the connection between objects and enables/disables and hides/shows GUI elements based on events, we’ll have to write APIs that expose the properties, the knobs and handles that affect them. This is not yet another MVC movement, this is about writing beans; library code with no UI whatsoever. There’s a huge difference. And the designer will have perfect freedom to redesign the UI based on just that. Developers will have no control over the UI. In particular accessing elements in the UI shouldn’t really be allowed at all (e.g., calling findChild() on a QFileDialog, ugh!). Instead we expose objects and properties to the UI layer, and cross our fingers and hope that the designer makes use of our functionality. Having less UI features exposed that we can use from C or C++, will for some be quite a painful change.

I cannot convince everyone. As a programmer, you really have to see what happens when you make the change. But I warn you, it will be hard to look back. The designers will suddenly feel like an integral part of the development team, making iterations upon iterations of their UIs and testing them in real-time on the target platform, using the _real_ features instead of just faking them. The “compiled code” doesn’t change at all while the UI is evolving. The designers won’t even need to talk to programmers at all. I honestly think we’ll see a lot more designers emerge from their dark caves and join software projects. This, of course, is seen from a programmer’s point of view. The designers will maybe think “Finally, I don’t have to deal with those… interesting programmers!”.

It’s a paradigm shift. What a wonderful world :-).

PS: Qt 4.7 will be the first version of Qt that incorporates Qt Quick, a feature that moves us closer to the world-as-described-above. Search for QML, Declarative UI, Kinetic, Qt Quick and so on with your favorite search engine, text, images and video. We’re keeping our cards close (a bit too close perhaps) for the first release but this technology will evolve rapidly after its first release.

I’ve arrived to San Jose,CA late on Sunday. By coincidence, there were three other speakers on the same plane from New York: Shashank Tiwari, Elad Elrom, and Jeff Tapper.  A short taxi ride to Marriott and one of the conference organizers, Tom Ortega, gives us a warm welcome in the lobby, “Hello guys! Please don’t do it again. Don’t get on the same plane next time – I can’t afford to lose four speakers”.

After a quick check-in to a nice room I spent a couple of hours drinking with a flex crowd in a couple of bars.

The morning after.

The shuttle bus took us to the huge eBay campus. Most of the people on the bus DID NOT have iPhones, can you believe this? Tom was greeting everyone at the door.
Several hundred of people gathered to hear Adobe’s Deepa’s keynote. Her conference badge reads “I’m Deepa”. Nice! On the next conference I’ll steal this idea from her and will carry the tag “I’m Yakov”.

I’ve been looking at this crowd and was thinking to myself, “If Tom and John will keep 360Flex running, in two years it’ll become bigger than Adobe MAX for Flex developers.”

In the morning, I’ve attended a presentation on Web analytics (Google vs. Omniture) and after lunch, my yesterday’s drinking buddy Jesse shared with the grateful audience his use of Flex plus two (!) more frameworks in the same project. Jesse is a good presenter, and I always come to see him regardless of the subject he’s talking about.

At 4PM I delivered a preso titled “Boring Presentation on Libraries and Modules”. A hundred people gathered in the room (here they are), and I was talking for 80 minutes and then was answering questions for another 25 minutes. I was pleasantly surprised that a non-flashy subject of modularization gets such an interest. People started working on decent size enterprise RIA’s and need to properly cut them into pieces.

This presentation was videotaped and sooner or later will become available online. For now, I can offer you a video of its shorter version that I made last year at Flash Camp Wall Street.
The beer was served right at eBay and the networking part began. These are some things that I’d like to share with you.

1. After certain conversations with certain people and by applying the Sherlock Holmes’ method of deductive reasoning I came out with the release date of Flex 4. To be on the safe side, I’ll give you two dates: March 29 or March 31 of 2010. Let’s wait and see if I got it right or I got it right.

2. I met a guy who runs a tiny company of a couple of Flex developers. He was complaining that it’s very difficult for him to find Flex talent for his projects because he couldn’t afford to hire and keep on billing $100 per hour consultants. He was surprised to learn that our company can easily offer him senior (I mean it) Flex/Java developers working remotely for a lot more modest rates. This is not the first time I hear that people assume that Farata Systems works only for Wall Street giants. We have lots of happy customers and the smallest one has only two employees.

3. I met a guy who has a nice visualization piece that may compliment our ClearBI Flex reporter. For some reason, there’s a surge of interest to ClearBI during the last month or so. We haven’t open sourced it yet, but if you want to play with it, here’s the URL of the demo server.  You may find some old screencasts showing how to create a custom report based on the raw grid of data, but try just hitting the buttons on the screen and you should be able to figure out how to add grouping, sorting, computed columns with formulas, and other goodies to create a report to your liking.

The dinner at P.F.Chang with several flexers was closing my first day of this very friendly and high-tech event. Looking forward for today’s learning.

Another day, another framework.

Your’s truly,
Yakov Fain

When I saw the videos with HP’s upcoming slate device, and I learned that it will support Flash Player and Adobe AIR I knew this is the magical device for me and my family. The only question I have is how much it will cost.

My wife is a heavy Internet user (movies, social networks, casual games). Since we became parents she is using all these social networks even more than before:

- “Look Mihai, our friends posted a new video with their baby! Look at this video with your son playing with a bear! Isn’t he amazing?”

Well you have the picture . Now, most of these sites rely heavily on Flash Player. At the same time it seems the table in front of my wife is becoming smaller and smaller due to all sort of UFOs (do not mistake with alien ships, to dads these are the Unknown Funky Objects used by moms). Thus the form factor and size of this device I think it will be just perfect. Probably I could use it on vacations to save photos and videos as well.

Now, I just have to wait until it gets launched! I wonder if it will be out in time for our anniversary

What do you think about this device?

 

Be sure to check out a very exciting blog post highlighting both Flash Player and Adobe AIR running on HP's upcoming slate device.

Alan Tam, a product marketing manager here at Adobe, demonstrated both Flash Player and Adobe AIR applications running on the device:

A post up about Jeff Smith from Smule and why he won’t ever target Android.

Smith is part of a small but vocal chorus of app developers who say they don’t want to move to Android, even though it is growing quickly. His complaints: He doesn’t like the way the store merchandises its wares, and he doesn’t want to have to create different apps for each handset Android supports.

To me, that helps show the value proposition of Flash on mobile devices. You’re going to have to create custom Flash mobile content for each device. It’s not going to be write once, run everywhere. But you’re not going to have to rewrite an app from scratch and you’ll be able to use the same technologies and tools across multiple platforms which means you can crank out applications faster and make sure they’re higher quality.

As developers get more sophisticated, just like agencies have their own frameworks to give them a head start on the apps they build, you’ll see frameworks that decrease the time to market of mobile applications for different sized screens and different functionality. But the key is being able to use the same tools, the same language, and the same platform so that you can easily tweak and write those applications for multiple platforms.

Some very cool video of Flash Player and AIR running on HP’s Slate tablet computer.

It’s great to see Flash Player running on a tablet. One of the nice things about the tablet versus the mobile device is that because of the larger screen size, more content will work out of the box. Flash on mobile devices performs really well but the screen size is going to require some UI changes for sites that will be visited heavily by mobile devices. Tablets provide a more big-screen experience.

I’ve adapted a syntax highlighting engine to generate a syntax highlighting TextBlock control for Silverlight. This control has built-in syntax highlighting C#, C++, JavaScript, VB.NET, XAML/XML. In the future, once Silverlight 4 is out, I’ll of course...(read more)

...( read more )...(read more)

...( read more )...(read more)

Several of the Trolls are right now in Manaus (Brasil) at the Bossa Conference 2010 and we’re having a great time. The conference is hosted by INDt here in Brasil, and the topics covering Qt directly are:

• QML
• QtWebkit
• Next generation widgets, and
• Shipping Qt apps on Symbian

but there are also talks about KDE, Ubuntu, Maemo etc.

In my talk I’m explaining how to go from nothing to having your own Qt app on the Ovi Store. So for that purpose I created a little app wich is a “mobilized” touch version of our old Tetrix example. See image below. It’s not fantastic in any way, but I thought it might be interesting for some to install it on their phone and try it out.

There are two ways of getting this app on your phone:

Method 1: (recommended)

1. Install Qt 4.6.2 (Symbian)
2. Install BossaTetrix (normal version)

Method 2: (experimental)

1. Install BossaTetrix (Smart Installer version)

Note: Version 2 is not stable and I’ve had limited success with it. The Nokia Smart Installer is still in beta! - so if you just want something that works, go for Method 1.

My current highscore is Score: 529 Level: 2. Post your score as a comment

Oh and btw, my app is not in the OVI store yet- As I said, the Nokia Smart Installer is still in beta and the OVI site still needs some changes before Qt apps can be uploaded, but we’re one step closer, and I now basically know the whole complete process involved.

Twitter feed about the conference here.

With only one week until MIX10, we wanted to give you a heads-up on all the news coming out of the conference, and highlight some of the great Silverlight sessions that every developer should attend. For those of you that don’t know, MIX is Microsoft...(read more)

This is the final blog post from the pre-release series. In it we are going to share with you some of the updates coming to our reporting solution in Q1 2010.

A new Declarative Data Source Engine will be added to Telerik Reporting, that will allow full control over data management, and deliver significant gains in rendering performance and memory consumption. Some of the engine’s new features will be:

• Data source parameters - those parameters will be used to limit data retrieved from the data source to just the data needed for the report. Data source parameters are processed on the data source side, however only queried data is fetched to the reporting engine, rather than the full data source. This leads to lower memory consumption, because data operations are performed on queried data only, rather than on all data. As a result, only the queried data needs to be stored in the memory vs. the whole dataset, which was the case with the old approach

  

• Support for stored procedures - they will assist in achieving a consistent implementation of logic across applications, and are especially practical for performing repetitive tasks. A stored procedure stores the SQL statements and logic, which can then be executed in different reports and/or applications. Stored Procedures will not only save development time, but they will also improve performance, because each stored procedure is compiled on the data base server once, and then is reutilized. In Telerik Reporting, the stored procedure will also be parameterized, where elements of the SQL statement will be bound to parameters. These parameterized SQL queries will be handled through the data source parameters, and are evaluated at run time. Using parameterized SQL queries will improve the performance and decrease the memory footprint of your application, because they will be applied directly on the database server and only the necessary data will be downloaded on the middle tier or client machine;

  

• Calculated fields through expressions - with the help of the new reporting engine you will be able to use field values in formulas to come up with a calculated field. A calculated field is a user defined field that is computed "on the fly" and does not exist in the data source, but can perform calculations using the data of the data source object it belongs to. Calculated fields are very handy for adding frequently used formulas to your reports;
• Improved performance and optimized in-memory OLAP engine - the new data source will come with several improvements in how aggregates are calculated, and memory is managed. As a result, you may experience between 30% (for simpler reports) and 400% (for calculation-intensive reports) in rendering performance, and about 50% decrease in memory consumption.
• Full design time support through wizards - Declarative data sources are a great advance and will save developers countless hours of coding. In Q1 2010, and true to Telerik Reporting’s essence, using the new data source engine and its features requires little to no coding, because we have extended most of the wizards to support the new functionality. The newly extended wizards are available in VS2005/VS2008/VS2010 design-time.

More features will be revealed on the product's what's new page when the new version is officially released in a few days. Also make sure you attend the free webinar on Thursday, March 11th that will be dedicated to the updates in Telerik Reporting Q1 2010.

Add authentication and authorization to specific parts of your Flex application through the use of the @Security annotations provided by the Spring Security framework.

The object capability model is an approach to security that utilizes object references as the primary means of controlling access and providing authority. Capability-based security follows the principle of using unforgeable capabilities to provide access to resources. Object capability builds on capability-based security by leveraging object references as the primary representation of capabilities, which are naturally unforgeable in memory safe languages. Object capability based security is an elegant approach to security because the goals of object-oriented principles of encapsulation and information hiding are realized in virtually the same exact manner as the principle of least authority that is at the heart of object capability security. This type of security is extremely flexible and customizable since it is based on object-oriented design. Plus, writing good code naturally leads to secure code, security can be designed with object encapsulation hand-in-hand.

In the object capability model, the authority to act on an object is permitted when one attains a reference to that object. Primarily, object references are gained by creating a new object (parenthood) or being passed an object reference (introduction). This means that a separate access control system is not needed, the passing of object references to functions and other objects provides the minimal, but sufficient, means and authority to carry out operations.

Object capability provides a fundamentally superior approach to alternates that have led to a vast number of the security flaws that have plagued operating systems and the web. Operating systems have long been unable to provide any true protection against malicious code. This is because access is defined by the current user’s access levels (ACL approach) instead of through capabilities being appropriately passed to programs. In object capability terminology, providing all executing code (for a given user or other context) with the same level of access is known as “ambient authority”. This has essentially enabled the whole class of exploits known as viruses. On the web, the problem is equally severe. Perhaps the most broad security threat to web applications is CSRF. This is also a direct result of how applications use cookies for ambient authority. Cookies are uniformly attached to all requests to a domain, regardless of who or what triggered the request. This allows malicious sites to trigger requests under the ambient authority of a logged in user.

One of the primary goals in the evolution of JavaScript is improved security. A large amount of the revisions in EcmaScript 5, and proposed ideas in the next version, are the result of object capability model research and how it can be applied to JavaScript to avoid ambient authority exploits. In particular, ES5’s strict mode is specifically designed to enable a new class of sandboxing techniques for executing untrusted code. Caja, FBJS, Jacaranda, dojox.secure, and ADsafe are all technologies that employ the object capability model to safely execute suspicious code.

Challenges: Doing something useful

While the object capability model provides a well-grounded and principled approach to security, it is not necessarily obvious, nor intuitive how to build real applications with this model. Application requirements are not usually defined in terms of object references, but rather in terms of who can do what, and how access is controlled. Since it is easy to just default to ACL-style approaches, how do we translate such requirements into object capabilities instead? We will take a look at how Persevere 2.0’s Pintura and Perstore provide a framework for doing just this.

Object capability model advocates tend to be cautious around user-authentication schemes, since they often translate into ambient authority. However, that does not need to be the case, and the reality is that the vast majority of applications will indeed utilize user authentication to control access to resources. This does invalidate the object capability approach. Pintura makes it very easy to use user authentication. Pintura employs a middleware module that reads user credentials, checks them against a data store for credentials (which can be configured to be any data store), and then calls a function that can be implemented by the application to return a set of “capabilities”, which are a set of references to data interfaces that they can access. These capabilities are passed to the entry REST or RPC handler, but one does not need to rely on ambient authority, code can then explicitly pass appropriate capabilities to any other functions that are executed.

Let’s take a look at the Pintura’s example application to see this in action. The access.js module defines a getAllowedFacets function on the security object that implements the logic of determining which capabilities are designated for each user. In this example, we define administrative capabilities, authenticated user capabilities for editing wiki pages, and the capabilities of an unauthenticated user which include the ability to view pages, authenticate and register/sign-up. The access.js module is loaded by the entry module, app.js, and makes it very easy to define the capabilities of the users.

Facets

Looking at the access.js module you will see that most of the capabilities refer to facets. Facets are an integral part of the Pintura/Perstore (Perstore is the persistence/data modeling framework used by Pintura) security system, and are introduced in the getting started with Pintura article. One of the primary challenges of using the object capability model is that a simple reference to an object often falls far short in terms of access level granularity. If you don’t have a reference to an object, you can’t do anything with it, and if you do have a reference, you can do anything to that object. In reality, applications often need much more fine-grained access levels like read-only access, create-only access, ability to delete from collections and even ability to define these levels at individual property levels instead of just the object level. With the object capability model, we can achieve this level of granularity by creating proxy objects that wrap an object. The proxy object can then be referenced and the proxy can handle attempts to modify and/or read data from the source object and determine which operations to allow, and which to deny.

Building these proxy objects can be onerous, but Perstore makes this easy, providing a complete, robust system for controlling access to store model persistent objects with “facets”. We use the term “facet” in Perstore because proxy is an overloaded term, and facets also indicates the secondary purpose of providing alternate views and interfaces of data. The facets in Perstore automate most of the proxying process, and allow a great deal of flexibility in defining access. Facets actually are very analogous to the concept of a proxy server, and follows the layering principle of REST. Like proxies, facets add functionality (attenuation of access), but presents the same interface to the next level up.

As mentioned in the getting started guide, Perstore provides two facet constructors: Restrictive and Permissive. The Permissive constructor gives full access to the underlying objects by default, and you must explicitly define functions or schema constraints to restrict functionality. The Restrictive constructor restricts access to the underlying objects to read-only by default, and you must override functions to permit access. Perstore facets utilize JSON schemas for further defining the facets. The same familiar structure that is used for model object validation is used for facet definitions. Therefore you can write:

var Permissive = require("facet").Permissive;
var SomeProductFacet = new Permissive(Product, {
  properties:{
    productCode: {readonly: true},
    managerNotes: {blocked: true}
  },
  "delete": function(){
    throw new Error("Can not delete");
  }
}
 

In this example, we have defined a facet for accessing the Product model and its instances. All instances that are retrieved through SomeProductFacet will be writable objects except that productCode will be read-only and managerNotes will be completely blocked (can not read or write to it). Furthermore, this facet defines that any attempt to delete products through SomeProductFacet will be denied.

Facets are the primary mechanism for authorization in Pintura. This fulfills the essential role in a web application of controlling access of clients. However, with the firm basis on object capability model, Perstore’s faceting will be appropriate for the eventual sandboxing of untrusted code. While JavaScript sandboxing is still somewhat of a research and development level topic, and is more of a platform level concern, (Perstore/Pintura do not provide any sandboxing themselves) such mechanisms are in the works, and should work perfectly with facets to provide fine grained access to persisted data for various modules.

Facets are a powerful concept with a multitude of uses. We have seen how to utilize them for access control, but facets can also play an important role in providing different “views” of data. One can utilize facets for applying different query filters, providing different locale-specific data to achieve internationalization, or revealing various levels of object details based on application views. Out of the box, facets are based on authentication information, but facets (and even layers of facets) can also be selected based on locale, user agent, or custom headers.

Conclusion

Persevere 2.0’s new object capability model with facets provides a flexible security framework based on the best principles of security research, avoiding the pitfalls of ambient authority and giving you the tools to quickly and efficiently build solid, secure applications.

Related posts:

1. Using the Persistent Object Model in Persevere
2. Getting Started With Pintura
3. Client/Server Model on the Web

[In addition to blogging, I am also now using Twitter for quick updates and to share links. Follow me at: twitter.com/scottgu ] This a quick post to announce a few upcoming events for those in the UK. I’ll be presenting in Glasgow, Scotland on March 25th...(read more)

At MIX 10 this year, Tues. 3/16 at 2pm: Learn from Jeff Wilcox how to create and maintain Silverlight and Windows Phone 7 Series applications using the Silverlight Unit Test Framework....( read more )...(read more)

...( read more )...(read more)