AJAX: Friend or Foe

AJAX can make Web pages feel like full-fledged applications, but beware weaknesses in security and accessibility

Elements of AJAX

Asynchronous JavaScript and Extensible Markup Language is a combination of Web development technologies that allows portions of a page to update without having to refresh the entire page. These technologies include:



Cascading style sheets: CSS provides the markup to style a Web page in a way that is pleasing to the eye.

Document object model: DOM lets programmers create and modify Web pages as full-fledged programs.

Extensible markup language: XML is used to format the data used in AJAX Web transactions.

HTML and Extensible HTML: HTML provides the structure for a Web page. XHTML allows developers to provide the framework for XML data.

JavaScript: JavaScript is a scripting language for enhancing user experiences on Web pages.

XML HTTP REQUEST (XHR): XHR is an HTTP-based interface that lets Web servers update data in the browser without requiring the user to refresh the Web page.

According to the poet Homer, Ajax was one of the mightiest Greek warriors in the battle of Troy. But he also wound up going mad and turning on his friends before killing himself.

Now, 2,500 years later, AJAX, or Asynchronous JavaScript and Extensible Markup Language, is an ally of the Geeks ' Web developers seeking easier ways to create interactive applications. But as they grapple with usability, security and Section 508 compliance issues surrounding AJAX, they may also worry about being turned against.

'AJAX is successful because it is so easy to learn, easy to use and easy to deploy,' said Michel Gerin, vice president of marketing at Backbase USA, an AJAX consulting and development company that has created AJAX applications for a number of federal clients, including the Navy.

'You can just write a few JavaScript codes or find some on the Web, put it in your HTML page, and ' voil' ' it works.'

But AJAX is not without its challenges.

'Rich Internet Applications such as AJAX and [Dynamic] HTML are becoming increasingly popular as Web development techniques,' said Judy Brewer, director of the World Wide Web Consortium's Web Accessibility Initiative (W3C/WIA). 'Yet they can create barriers for people with disabilities because of difficulty accessing dynamic navigation and event features.'

So the question arises: Which side of AJAX will you get ' the mighty ally or an unstable technology that will turn on you?

Wait-loss program

AJAX is not a single technology, but a Web development technique using a set of technologies that work together to create a smoother interactive experience.

Although the term was coined in 2005 by Jesse James Garrett, president of consulting firm Adaptive Path, some of the technologies go back a decade. AJAX is just a way to describe developing Web applications using these technologies.

It is a browser-based approach that breaks down the traditional concept of the Web page, making it more like a desktop application. With traditional Web pages, Garrett wrote in his initial paper on the subject (GCN.com/866), a user action, such as clicking on a button, triggers an HTTP request to the Web server.

The Web server then processes the request ' including querying databases, performing calculations or pulling up documents ' generates a new Web page and sends that entire page via the pipe to the user.

'While the server is doing its thing, what is the user doing?' Garrett wrote. 'That's right, waiting. And at every step in a task, the user waits some more.'

To cut waiting time, AJAX uploads a JavaScript engine to the browser, usually in a hidden frame, which renders the user interface and communicates with the server. Once it is loaded, the user can interact with the Web page.

AJAX has been broadly adopted by a number of companies, most notably Google, which uses it for Google Maps and Gmail. Netflix also uses AJAX to let its customers change their list of movies.

Federal agencies are increasingly using AJAX, too. The Air Force is moving to AJAX as part of its Enterprise Knowledge Management (EKM) system that provides process automation and system-to-system interoperability across the service.

EKM was started in 2001 as part of the Charter for Aging Aircraft Program and now supports collaboration for more than 80 projects or enterprises and more than 5,000 users.

'The AJAX-based design will allow the application to have more of a desktop application look and feel,' said Michael Hucul, EKM program manager at Wright-Patterson Air Force Base, Ohio. 'It will allow us to include some of the features people expect from a shared drive, such as drag and drop.'

The new filing cabinet will load faster and cut bandwidth requirements because it will only load data when the user needs it.

JSTARS in your eyes

Part of EKM is the Secure Collaborative Integrated Development Environment for the Joint Surveillance and Target Attach Radar System (JSTARS) software maintenance group, a collaboration between the military and Northrop Grumman.

'The solution that we chose here is to provide Air Force teams, organizations and contractors a secure, cost-effective method to jointly develop, maintain and upgrade mission-critical and weapons systems software,' said Scott Randall, technology lead at the 402nd Software Maintenance Group at Robins Air Force Base, Ga.

Enhancements and software maintenance for JSTARS are being performed by the Air Force at Robins and by Northrop Grumman.

'We hope this new system will eliminate redundant efforts from an integration perspective and unify our test teams and our development teams in execution of the software,' said Vinnie Simone, Northrop Grumman's senior program manager for Total Systems Support Responsibility.

Although AJAX indisputably builds better applications, its use also raises concerns about accessibility, security and usability ' concerns that also apply to other Rich Internet Applications.

Adaptive technologies such as screen readers and speech dictation software make the Web accessible to people with disabilities ' a requirement for federal Web pages under Section 508 of the Rehabilitation Act Amendments of 1998.

Brewer said W3C/WAI is developing a suite of resources called Accessible Rich Internet Applications. The suite (GCN.com. GCN.com/887) includes a road map, taxonomy and syntax for developing accessible applications.

Security is another issue. Rich Internet Applications are more complex than straight HTML and can open new vulnerabilities. AJAX attacks have already hit Yahoo and MySpace visitors.

Hackers can also look at the browserside JavaScript and get an idea of the underlying server application architecture, so developers have to be careful not to expose unnecessary information in the AJAX engine. Enabling JavaScript on the browser also opens it to other types of attacks.

Finally, AJAX wreaks havoc with traditional behaviors we've all come to expect from the Web environment.

For users, early complaints included being unable to use the browser's back button to view an earlier version of a page, in addition to being unable to bookmark a particular version of a page. For developers, a common complaint was having to write different versions of the JavaScript for every browser version visitors might use.

There are also problems with search engines because Web crawlers don't typically execute the code to access the data.

Native AJAX still has these vulnerabilities, but workarounds exist, either as a piece of stand-alone code or a framework. Microsoft has ASP.NET AJAX (formerly called Apollo), and NexaWeb Technologies has Enterprise Web 2.0. Backbase has Enterprise AJAX 4 in addition to a free version of its framework, and the company is releasing a visual AJAX development tool early next year.

Using a framework addresses these problems and makes it possible to write a single set of code that works on all browsers.

'For anybody who wants to start in AJAX, make sure you know what your requirements are, and then look for a framework ' ours or someone else's,' Gerin said. 'It will really help you to manage your code and to maintain it down the road.'

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above