Mindoo Blog - Cutting edge technologies - About Java, Lotus Notes and iPhone

  • Tools we use to build web apps

    Karsten Lehmann  21 September 2014 21:50:48
    In a recent comment in this blog, Andrew Magerman asked what frameworks I use to build web applications and whether we have looked into Angular. Since the answer got too long for a simple comment and might be interesting for others, I created this blog article.

    Server side
    I am using my own regexp based templating system, which simply fills some placeholders in static HTML and JS files and sends them to the browser, e.g. to compute URLs, to insert translated phrases and include content of other template files. I don't need much flexibility for this template system, because all dynamic stuff is created in the browser anyway.

    Data is provided via custom REST services implemented in Java that offer CRUD operations. In many cases, the server side application code uses framework classes from OSGi plugins that build a common layer shared between multiple web applications.

    Frontend stuff
    For the frontend, I use Bootstrap to build responsive user interfaces that work on phones, tables and desktop browsers. I use jQuery, lots of helper projects like bootstrap datepicker and timepicker, select2 for flexible comboboxes, velocity.js for animations, Asynquence to work with callbacks and other libraries that I tweeted about in the past.

    To wire them together I use require.js, which gives me a clean dependency resolution.

    React based UI rendering
    For more and more UI components, I use React for the rendering and their flux application architecture.
    I especially like their approach to reduce DOM changes by comparing old and new in a virtual DOM tree in memory when data changes.

    Another advantage of React.JS is that the initial UI code can be precomputed on the server side to improve SEO ranking (see this article).

    Normally, this is done in code running in a Node.JS server.

    For Java based server environments like IBM Domino, we have code to do this using the JavaScript engine of the JVM and as an alternative (with better performance thanks to Node's V8 JavaScript engine) by leveraging an external Node.JS process on the same or a different machine.

    Angular
    We haven't used Angular in real-life projects yet. Looking at the documentation, it feels as if they over-standardized web application development a bit, making it more difficult than necessary to get started.

    What concerns me is that their templating system does not seem to optimize DOM operations as good as React does. In the browser, it's all about responsiveness and performance.

    What I don't use
    Personally I prefer not to use JSF components or similar concepts for the web UI. I don't like to depend on a server state and don't like to have too much communication between frontend and backend.

    Instead I like to have most of the UI code in the browser so that the app is responsive even with bad network coverage. In addition, I can optimize DOM rendering and have more ways to play with animations and transitions.

    Communication with the server side is done through REST APIs that can also be reused to test functionality, automate tasks or for automatic data imports/updates.

    Domino?
    You may have noticed that not much of my way to develop web applications requires a Domino server.
    Having Domino on the server is a great thing, as it includes many services in one consistent platform, like the document database, fulltext search, directory services, replication and a close integration of application code and the mail server.

    But there's more than one way to skin a cat. We have prototypes in the lab that don't have any Domino dependencies.

    Since we like document databases combined with replication, we have been playing with the CouchDB eco system for some time:
    the Apache CouchDB project that is currently merged with the Cloudant database and the rcouch project as well as its mobile version Couchbase Lite and PouchDB in the browser.

    Combined with an OSGi based server platform, that looks like a powerful and extensible app dev environment.

      Status report / collection of web and mobile development frameworks and tools

      Karsten Lehmann  27 June 2014 09:49:20
      The last post in this blog has been written 6 months ago. Although I have had several ideas for new posts, project work and family life got in the way (our son was born last September).

      At Mindoo, we have been incredibly busy working on development projects and product prototypes. Some of them are still IBM Domino based with Responsive Web Design using Bootstrap and jQuery or Sencha's ExtJS, others are pure JSF applications using the Primefaces framework.

      In other projects, we produced EPub files from IBM Domino data (we used EPublib for this purpose), built some native extensions to call Domino C API functions from Java code (e.g. direct attachment streaming without extracting files to disk first) and dived a bit into the mobile development space with apps developed with Appcelerator Titanium and a CouchDB on the server side as well as Couchbase lite in the mobile client to easily sync data between devices.

      Since I could not find the time to write blog articles, I more and more have been using Twitter to publish interesting frameworks and tools. I do this primarily for myself to be able to find them later when I need a tool for a project, but hey, my Twitter account is open, so feel free to take a look or become a follower.

      To be able to search my findings, I created a Notes database on our web server where I download my tweets, add content of linked web pages and use Domino's powerful fulltext search engine for searching.
      That database currently only has an ugly Notes Client based user interface, but I plan to add a simple web frontend to it. We'll see if and when this will be available.

      So for now, all I can do is recommend taking a look at my Twitter account to see what technology I am currently working with:


      Now on OpenNTF: Open Eclipse Update Site - based on IBM’s template but with extended functionality

      Karsten Lehmann  6 December 2013 19:16:01
      I just created a new project on OpenNTF called "Open Eclipse Update Site".

      The Open Eclipse Update Site database is based on the OpenNTF project "Eclipse Update Site (updatesite.ntf)" from IBM with additional functionality, e.g.
      • Mac Notes Client support (no SWT error messages like in the original template)
      • View action to delete selected features from the database (no need to delete all like in the original template)
      • Support for headless builds (automatic generation of update site, e.g. in a Jenkins server):
        database contains an agent called "(API)" that can be called to delete all content and import an update site from the local disk

      Now on OpenNTF: Mindoo XPages2Eclipse - Eclipse APIs for XPiNC applications!

      Karsten Lehmann  28 November 2013 19:45:49
      I just created a new project on OpenNTF: Mindoo XPages2Eclipse.
      Our toolkit, which provides extensive Eclipse APIs to XPages developers in the IBM Notes Client (XPiNC),

      is now available for free!


      Here is the project description:

      XPages2Eclipse is a language extension for XPages-development within the Lotus Notes Client

      Find out how XPages2Eclipse simplifies the development of XPages-applications for the IBM Lotus Notes Client considerably. With the help of this extensive toolkit you will be able to develop applications, which exhaust the full potential of the local client.

      XPages is the new technology of the hour for the notes/domino platform. It makes possible the development of modern and attractive applications in an up-to-date integrated development environment - the Domino Designer.

      For newcomers it is often difficult to master the XPages technology due to its extensive set of features - the change from classical Notes development with LotusScript is not to be accomplished within a couple of days.
      In addition to getting familiar with the usual Web standards like HTML, CSS and JavaScript, one also has to get to know the ui-library Dojo, as well as IBM specific additions like server side JavaScript (SSJS), themes or components from the Domino Extension Library.

      Yet, the result at the end of this steep learning curve is quite impressive:
      dynamic web user interfaces that can join data of multiple Lotus Notes databases or other data sources, if needed, or even an application for mobile devices – no traces left of the antiquated user interfaces that used to be created with classic Lotus Notes development.

      Thanks to the Lotus Notes Standard Client XPages applications can also be used locally and even offline.


      Expanding the boundaries of local XPages applications

      Unfortunately - from the perspective of developers - it is difficult or even impossible, to offer a set of features users are familiar with when executing XPages applications locally. That is, if developers stay within the boundaries of the XPages standard.
      There are hardly any standard APIs available to interact with the Lotus Notes Client or any other locally installed software.

      Missing are for example:

      • Integration of existing Notes applications: filling in Notes forms and Emails with data from XPages applications, accessing documents selected in classical Notes views, running existing LotusScript code
      • Import or export of data from IBM Lotus Symphony , supporting documents, spreadsheets and presentations
      • Executing document attachments with associated desktop-applications (for Windows, Linux and Mac OS)
      • Accessing the clipboard to store HTML, text, images or files
      • Executing long-running operations in the background, displaying their progress and cancelling the operation if necessary
      • Convenient features like file selection, including multi-selection, and folder selection
      But it doesn't have to be this way - XPages2Eclipse comes to your rescue. It enables developers to use functions of the Rich Client, without the need to become experts in either plugin- or Java development.
      Every feature of XPages2Eclipse can be used from within server side JavaScript.

      XPages2Eclipse offers something for everyone

      The requirements listed above are all met by XPages2Eclipse - and more!
      Your users will experience a real Rich Client-feeling for XPages applications within the IBM Lotus Notes Standard Client.
      As a developer you will save time and will be spared a lot of hard work to implement these functions, while enhancing consumer acceptance of your product.


      More information and sample code

      You can find lots of sample code and API documentation in the XPages2Eclipse wiki on the XPages2Eclipse website.


      New on OpenNTF: Plugin to close XPiNC applications from CSJS code / to detect Notes ID changes

      Karsten Lehmann  9 September 2013 22:06:28
      There is a new project on OpenNTF that I created a few days ago: Mindoo Xulrunner Prefs.js Management Plugin.
      It's nothing big, only a small Eclipse plugin that can be installed in the Notes Client to manage the preferences of the Xulrunner engine that renders XPages in the Notes Client (XPiNC).

      The main purpose for this is to set the property "dom.allow_scripts_to_close_windows" to false on a number of machines (the plugin can be deployed via policy). This enables XPages applications to close their own tab in client-side JavaScript (CSJS), something that is not possible by default yet (last tested version: Notes Client R9).

      But the even more interesting part, at least for Eclipse plugin developers, is that the project demonstrates how to run code before and after the password prompt of IBM Notes.
      We use the following Extension Point:

      <Image:New on OpenNTF: Plugin to close XPiNC applications from CSJS code / to detect Notes ID changes?xml version="1.0" encoding="UTF-8"?Image:New on OpenNTF: Plugin to close XPiNC applications from CSJS code / to detect Notes ID changes>
      <Image:New on OpenNTF: Plugin to close XPiNC applications from CSJS code / to detect Notes ID changes?eclipse version="3.4"?Image:New on OpenNTF: Plugin to close XPiNC applications from CSJS code / to detect Notes ID changes>
      <Image:New on OpenNTF: Plugin to close XPiNC applications from CSJS code / to detect Notes ID changespluginImage:New on OpenNTF: Plugin to close XPiNC applications from CSJS code / to detect Notes ID changes>
         <Image:New on OpenNTF: Plugin to close XPiNC applications from CSJS code / to detect Notes ID changesextension
               point="com.ibm.rcp.lifecycle.application.startBundles"Image:New on OpenNTF: Plugin to close XPiNC applications from CSJS code / to detect Notes ID changes>
            <Image:New on OpenNTF: Plugin to close XPiNC applications from CSJS code / to detect Notes ID changesapplication
                  id="com.ibm.rcp.personality.framework.RCPApplication"Image:New on OpenNTF: Plugin to close XPiNC applications from CSJS code / to detect Notes ID changes>
               <Image:New on OpenNTF: Plugin to close XPiNC applications from CSJS code / to detect Notes ID changesbundle
                     id="com.mindoo.xpinc.changeprefs"Image:New on OpenNTF: Plugin to close XPiNC applications from CSJS code / to detect Notes ID changes>
               <Image:New on OpenNTF: Plugin to close XPiNC applications from CSJS code / to detect Notes ID changes/bundleImage:New on OpenNTF: Plugin to close XPiNC applications from CSJS code / to detect Notes ID changes>
            <Image:New on OpenNTF: Plugin to close XPiNC applications from CSJS code / to detect Notes ID changes/applicationImage:New on OpenNTF: Plugin to close XPiNC applications from CSJS code / to detect Notes ID changes>
         <Image:New on OpenNTF: Plugin to close XPiNC applications from CSJS code / to detect Notes ID changes/extensionImage:New on OpenNTF: Plugin to close XPiNC applications from CSJS code / to detect Notes ID changes>
      <Image:New on OpenNTF: Plugin to close XPiNC applications from CSJS code / to detect Notes ID changes/pluginImage:New on OpenNTF: Plugin to close XPiNC applications from CSJS code / to detect Notes ID changes>


      The plugin code will actually get started a bit too early for our specific use case, because the user still has to enter his password, so no Notes session is available yet to read the Notes.ini content (or even find out where the Notes.ini is located).

      So we register an ILoginContextEventListener to get notified as soon as the user has logged in:

      public void start(BundleContext bundleContext) throws Exception {
              XPiNCChangePrefsActivator.context = bundleContext;
                     
              //we register a ILoginContextEventListener to get notified when the
              //user has logged into the platform
              ILoginContextService service = SecurePlatform.getLoginContext();
              service.addListener(new ILoginContextEventListener() {
                      boolean hasTweakedPrefs = false;
                             
                      public void handleLogin(LoginContextEvent event) {
                      if (event.type == LoginContextEvent.MethodEnd && !event.hasException) {

                              synchronized (XPiNCChangePrefsActivator.class) {
                                      if (!hasTweakedPrefs) {
                                              //we use a flag here, because the
                                              //method is called twice
                                              XPiNCPrefs.tweakXulrunnerPrefs();
                                              hasTweakedPrefs=true;
                                      }
                              }
                      }
                  }

                  public void handleLogout(LoginContextEvent event) {  }
              });
      }


      This technique can also be used to detect Notes ID changes and is inspired by a blog article of Hunter Medney.

      Please note that there is another Extension Point in the Eclipse platform to launch code on startup, which is called after the user has logged in:

      <Image:New on OpenNTF: Plugin to close XPiNC applications from CSJS code / to detect Notes ID changesextension point="org.eclipse.ui.startup"Image:New on OpenNTF: Plugin to close XPiNC applications from CSJS code / to detect Notes ID changes>
          <Image:New on OpenNTF: Plugin to close XPiNC applications from CSJS code / to detect Notes ID changesstartup class="com.mindoo.startuptest.MyStartupHandler" /Image:New on OpenNTF: Plugin to close XPiNC applications from CSJS code / to detect Notes ID changes>
      <Image:New on OpenNTF: Plugin to close XPiNC applications from CSJS code / to detect Notes ID changes/extensionImage:New on OpenNTF: Plugin to close XPiNC applications from CSJS code / to detect Notes ID changes>

      But the Extension Point we used for the plugin seems to be called a bit earlier, which reduces the risk that any sidebar panel or open tab that uses Xulrunner is opened before, which would prevent us from changing the prefs.js content permanently.

      New on OpenNTF: Geospatial indexing for IBM Notes/Domino data

      Karsten Lehmann  30 July 2013 23:11:37
      Last weekend I created a new project on OpenNTF.org, which is part of a pretty big "pet project" that I have been working on for several month and that will hopefully be ready for primetime someday.

      My original plan was to submit this pet project for the last XPages development contest, either in addition to or instead of the Mindoo FTP Server, but the project got bigger and bigger over time - and an FTP server was finally easier to polish and explain than my other idea.

      This idea has to do with alternative indexing techniques for IBM Notes/Domino data, something like "Notes Views on steroids":
      Building an external indexer for IBM Notes/Domino that is more powerful than classic Notes Views, but still easy to use and scalable for large amounts of data.

      And while I was investigating different open source indexers and database engines, I once again came across the topic "Geospatial Indexing", which I had already discussed in the article XPages series #14: Using MongoDB’s geo-spatial indexing in XPages apps

      Geospatial indexing basically solves the task to find locations stored in a database that are close to a given set of coordinates, specified as latitude/longitude pair and to sort the results by distance.
      With all those smartphones out there that carry a GPS chip, the requirement nowadays is pretty often to "find the next Italian restaurant" or "find friends nearby" that all can be solved with Geospatial Indexing.

      In my XPages series article I demonstrated how to use an external MongoDB database to do these kind of searches from XPages applications, but this stuff gets even more interesting and realistic if we can solve it with pure Notes/Domino technologies - and it is possible.

      There are a few obvious ways how Geospatial searches could be implemented with Notes/Domino APIs, e.g. Database.search(String), fulltext searching or just manually scanning through all view entries to find the relevant documents.
      The main problem is, that they either do not scale very well, because all documents of a database have to be scanned or they require the creation of a fulltext index, which I personally try to avoid for this kind of lookups (takes a lot of disk space, is often not up to date, sometimes issues with date searches, when Domino thinks a field is not a date/time, but a text).

      The solution: Geohashes

      After a few hours of searching, I found a document that explains how MongoDB has implemented Geospatial Indexes.
      They convert latitude/longitude pairs to a single string value, a so called Geohash.

      This way, a single prefix lookup is enough to search for both values. All you have to do is to compute the list of Geohash boxes that intersect the search area and find view entries that start with the right Geohash prefix:

      Image:New on OpenNTF: Geospatial indexing for IBM Notes/Domino data
      (screenshot taken from the Geohash demonstrator website)


      Mindoo Geohash Demo

      The new project on OpenNTF that demonstrates the Geohash technique is called "Mindoo Geohash Demo" and it looks like this:

      Image:New on OpenNTF: Geospatial indexing for IBM Notes/Domino data


      Project description

      The sample database can be used to store and search real-world locations. A location document consists of a name, a type (e.g. "Restaurant" or "Supermarket"), address information with street/zip/city/country and a field for other custom data.

      When entered via the web interface, we use the Google Geocoding API  to retrieve geo coordinates (latitude/longitude) for the address.
      These coordinates are stored alongside the other location data in the database.
      Location documents can also be created via a REST API call.

      Image:New on OpenNTF: Geospatial indexing for IBM Notes/Domino data

      The database also provides search functionality via web UI and REST API to quickly find the nearest locations for a given point (either entered as address or latitude/longitude pair), sorted in ascending distance.

      To get started, simply sign the database, copy it to your IBM Domino R9 server and open it in a browser.
      The database contains a sample dataset (all Starbucks stores in New York and Berlin, all Apple Stores in Germany) as a starting point, but this data can be deleted to start from scratch.
      To search for locations, enter an address (e.g. "Brandenburger Tor, Berlin, Germany") and the maximum distance in meters (e.g. 1000) in the search form and click the search button.

      You can further restrict the result set by specifying a location type (e.g. "Coffee"). Just select a type and leave the address field empty to see all locations with that type in the database.

      Image:New on OpenNTF: Geospatial indexing for IBM Notes/Domino data

      For a visual representation of the search results, select up to 25 rows in the result list and they will get displayed via the Google Maps API.

      Hope you like the demo! All code and required libraries are available under Apache 2.0 license.

      XSS security fix in Domino R9 HTTP server may break existing web applications

      Karsten Lehmann  3 June 2013 21:56:04
      Last week we noticed that two of our web applications did not work as expected after upgrading our servers to Domino R9.
      We tracked down the issue and found the problem: In one REST API call, we have a query string parameter that contains a Domino fulltext query to filter the entries of a Notes view.
      Domino now reported that the query syntax was wrong. The same code had worked in 8.5.3.

      The reason is that the Domino R9 HTTP server contains a security fix to prevent applications from being vulnerable to cross site scripting attacks (XSS).
      IBM picked the brute force solution here: All occurences of "<" and ">" in the url automatically get replaced. "<" becomes "-lt" and ">" becomes "-gt".

      Let's take the following simple XPage as an example:

      <Image:XSS security fix in Domino R9 HTTP server may break existing web applications?xml version="1.0" encoding="UTF-8"?Image:XSS security fix in Domino R9 HTTP server may break existing web applications>
      <Image:XSS security fix in Domino R9 HTTP server may break existing web applicationsxp:view xmlns:xp="http://www.ibm.com/xsp/core"Image:XSS security fix in Domino R9 HTTP server may break existing web applications>
      Content of query parameter param1:<Image:XSS security fix in Domino R9 HTTP server may break existing web applicationsxp:brImage:XSS security fix in Domino R9 HTTP server may break existing web applications><Image:XSS security fix in Domino R9 HTTP server may break existing web applications/xp:brImage:XSS security fix in Domino R9 HTTP server may break existing web applications>
              <Image:XSS security fix in Domino R9 HTTP server may break existing web applicationsxp:inputTextarea id="inputTextarea1"
                      style="width:600.0px;height:200.0px" value="#{javascript:param.param1}"Image:XSS security fix in Domino R9 HTTP server may break existing web applications>
              <Image:XSS security fix in Domino R9 HTTP server may break existing web applications/xp:inputTextareaImage:XSS security fix in Domino R9 HTTP server may break existing web applications>
      <Image:XSS security fix in Domino R9 HTTP server may break existing web applications/xp:viewImage:XSS security fix in Domino R9 HTTP server may break existing web applications>


      When I call this XPage with a URL like

      http://localhost/urltest.nsf/params.xsp?param1=[date]%3E%3D01.01.2008%20AND%20[date]%3C%3D31.12.2008

      we get the following result in Domino 8.5.3:

      Content of query parameter param1:
      [date]>=01.01.2008 AND [date]<=31.12.2008


      With Domino R9, we get this instead:

      Content of query parameter param1:
      [date]-gt=01.01.2008 AND [date]-lt=31.12.2008


      You can see that the operators "<" and ">" got replaced and the ft query is no longer valid.

      The big surprise here was that the Domino server even replaces these characters if they are correctly escaped as hex codes like %3C and %3E.
      This way, IBM wants to prevent web developers from writing the query string content as part of a HTML page without properly escaping "dangerous" characters, e.g. to tell the user that a passed search query

      "<Image:XSS security fix in Domino R9 HTTP server may break existing web applicationsscript type='text/javascript'Image:XSS security fix in Domino R9 HTTP server may break existing web applications>alert('it works!');<Image:XSS security fix in Domino R9 HTTP server may break existing web applications/scriptImage:XSS security fix in Domino R9 HTTP server may break existing web applications>"

      is not understandable, which would immediately execute the script block in the browser and could cause a lot worse effects than just a simple alert box.

      And this is not a theoretical threat. It has been done before.

      Workarounds / solutions
      We asked IBM if the current implementation, which also replaces the hex encoded characters, is working as designed and they confirmed. They said they had seen too many XSS attacks in different areas of the product and customer applications, so they picked the "big hammer" as a solution. It's unlikely that this behavior will change anytime soon, but if somebody has a better idea, they are open for discussion.

      Here are a few things that you might try to make your application work again, if you've got the same issues:

      1. Change the URL parameters
      In our sample, we could change the query parameters so that we only pass the min and max dates as query string arguments. The whole FT query can then get computed on the server side. Depending on the kind of query string parameter, replacing "-lt" and "-gt" with the correct values also could be an option. But this might lead into trouble if someone wants to send "-lt" or "-gt" as part of a query string parameter on purpose.

      2. Use POST instead of GET
      If you put the ft query in the payload of a POST request, the parameters do not get replaced.

      3. Disable the XSS fix (not recommended)
      IBM dev told us that the XSS security fix can be disabled by setting the Notes.ini variable

      HTTP_QUERY_STRING_SCRUB=0

      Of course, then the server will be more vulnerable to XSS attacks. So use it at your own risk and try to find a better solution.

      Entwicklercamp 2013 slides about "Dojo 1.8 and AMD" now available in English

      Karsten Lehmann  24 May 2013 20:48:25
      My slides about "Dojo 1.8 and AMD" are now available in English. I have updated my original blog article:


      My EntwicklerCamp 2013 slides: Dojo 1.8 and AMD

      Karsten Lehmann  13 March 2013 14:53:59
      Here are the slides for my EntwicklerCamp 2013 session about "Dojo 1.8 and AMD" in English:

      Image:My EntwicklerCamp 2013 slides: Dojo 1.8 and AMD


      and in German

      Image:My EntwicklerCamp 2013 slides: Dojo 1.8 and AMD


      Download archive with both versions:

      Slides as ZIP-Archive

      Quick tip: Fixing Dojo drag and drop issues in a Windows 8 VMWare on the Mac

      Karsten Lehmann  7 March 2013 07:33:56
      I am currently setting up a new dev environment with Windows 8 and Notes/Domino 9 to work on demos for my Dojo 1.8/AMD session at Entwicklercamp next week.

      To my surprise, I noticed yesterday, that drag and drop operations on Dojo widgets did not work as expected. For example, I could not drag the splitters of a BorderContainer layout widget and the columns of a LazyTreeGrid could not get resized.
      It seemed as if mouse events got lost, but I only got that effect in Firefox and Chrome. In IE, everything was working fine.

      After a bit of Googling, I found out that VMWare Fusion emulates some kind of touch device for Windows 8 and that this can get disabled by setting

      touchscreen.vusb.present = "FALSE"

      in the VMX file of the VMWare image. I tried it and it helped, drag and drop is now working again.