File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes HTML, CSS and JavaScript and the fly likes To the author, Frank Zammetti Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » HTML, CSS and JavaScript
Bookmark "To the author, Frank Zammetti " Watch "To the author, Frank Zammetti " New topic

To the author, Frank Zammetti

Sri Pos

Joined: Dec 05, 2006
Posts: 9

1. Are there any security concerns for using Ajax?
2. When using ajax, is it a good idea to create a <TABLE> on the fly using DOM scripting ? Are there any performance concerns using DOM scripting to create a 'big' table on the fly ?

Are these details covered in your book ?

Frank Zammetti
Ranch Hand

Joined: Dec 16, 2004
Posts: 136
Hi Sri,

1. Yes, there definitely are security concerns. Things like request spoofing come to mind. However, a little common sense goes a long way: AJAX is just another type of request from browser to server (and not actually a unique kind since its POST, GET, etc. anyway), so the same types of precautions you'd take in general web programming still apply 100% to AJAX. Even with request spoofing, that's something that can happen with a non-AJAX application too.

One mistake people tend to make in the Web 2.0 world is to believe they can all of a sudden implicitly trust the client. This is no more true now than it was a year ago. You still need to verify input on the server-side. You still need to use SSL for transport security. You still need to think about things like basic auth. You still need to think about what data your actually transmitting.

A common mistake that follows naturally from there is putting business logic on the client. Some people think that doing more client-side work means business rules should be moved to the client, and this is (generally) not the case. What you *can* move to the client is the control layer in an MVC architecture, at least largely. You model, and of course the underlying data store, remains solidly on the server.

I don't cover these topics specifically in the book, but they are covered to some degree as a consequence of some of the applications being built (which, because of the nature of the book, is how most topics are covered). As they come up during construction of the application, they are covered.

2. About creating a table... I think it depends on a couple of factors. First, if it's a really large table, you are almost always better off generating it server-side and just inserting the markup. The problem there is that some browsers don't react quite the same way when you do this in terms of everything being added to the DOM automatically. So, you may run into cases where you can't access elements after the creation, etc. To be honest, this definitely used to be true, but I haven't specifically tried with current browsers to see if its still the case... I have a suspicion it's no longer true and things always get added to the DOM properly. But either way, a really large table, maybe 100+ rows or so, will take noticeable time to create in script, much more time than it'll take to generate the markup on the serve, transmit it back to the client and insert it. I think it's a case of needing to do some benchmarking to see where the line you don't want to cross in terms of size of the table is. Also keep in mind that you'll definitely see speed differences in different browsers (and don't assume IE is always the slower one because it's most definitely not true).

-- <br />Frank W. Zammetti<br />Founder and Chief Software Architect<br />Omnytex Technologies<br /><a href="" target="_blank" rel="nofollow"></a><br />AIM/Yahoo: fzammetti<br />MSN:<br />Author of "Practical Ajax Projects With Java Technology"<br /> (2006, Apress, ISBN 1-59059-695-1)<br />and "JavaScript, DOM Scripting and Ajax Projects"<br /> (2007, Apress, ISBN 1-59059-816-4)<br />Java Web Parts - <a href="" target="_blank" rel="nofollow"></a><br /> Supplying the wheel, so you don't have to reinvent it!
I agree. Here's the link:
subject: To the author, Frank Zammetti
It's not a secret anymore!