Qwicap Features
Chris W. Johnson
August 5, 2014
- Open Source - Qwicap is distributed under the Lesser
GNU Public License (LGPL). Download it from
SourceForge.
- POJO (and POJL)- Build your applications with Plain Old Java Objects. (And plain
old Java logic; Qwicap rejects the concept of inversion-of-control.)
- It's For Developers - Qwicap isn't about letting web page designers
imitate developers. It is unapologetically aimed at actual developers, because
there's no better or clearer way to express application logic than in
application code. (Java, in this case.) Nonetheless, Qwicap's use of pure,
standards-compliant XHTML markup, and the loose coupling between code and markup
made convenient by its custom XML engine, gives web page designers enormous scope
to work their art without forcing changes to application code.
- Forget the CGI Model - Qwicap discards the traditional "hit-run-exit"
runtime model of CGIs (and almost everything that has followed them) and the
inversion-of-control model that characterizes the frameworks that followed in the
footsteps of CGIs.
While that model may be necessary for some applications, it is also a huge pain in the
developer's ass. It forces developers to do things like: rebuild state with every hit;
embed information in every input that identifies the state to be rebuilt; and turn
application logic inside out. Use that model if you have to; use Qwicap if you don't.
- Rich State, Automatically - Unlike normal web applications, when a Qwicap
application produces a page and sends it to the client, the app doesn't exit. Instead, it
blocks until a valid response is received from the client, and then continues executing
from precisely where it left off. All of the application's data, control flow, and even
its local variables remain in exactly the same state they were in when the page was sent
to the client. State doesn't get any richer than that, and this functionality requires
no modifications to your code (no serialization, no nothing). The runtime "penalty"
imposed by this functionality is that your code should run faster than conventional
web applications, because it doesn't have the overhead of reconstructing its state with
every hit. Because you get this functionality automatically, there is no penalty in
development time, either. As you'd expect, development goes faster when you can ignore
entirely the problems of storing and reconstructing state.
- Developer-Friendly APIs - Most of Qwicap's API is confined to just two
classes, one representing the web application, and the other representing the
custom XML engine. Both APIs were clean-sheet designs that began with the creation
of "ideal"
APIs for common usage cases. All of the Qwicap code was then written to make those
APIs possible. Developer interaction with the APIs was then observed, and the APIs
adjusted to reduce misunderstandings, and further improve common cases. Inside the
code, an emphasis was placed on avoiding errors, and providing informative error
messages (state the rule, state the problem, provide context) when they can't be
avoided. Qwicap is proudly non-conformant with the
Programmers
Hate Programmers Hypothesis.
- Security
- Replay attacks are prevented by automatically inserting nonces
into all pages, and automatically verifying them upon receipt of any data.
Qwicap based applications will never see data sent with a bad nonce.
- Cross-Site Scripting (XSS) attacks are prevented by automatically
HTML-encoding all materials inserted into page markup.
- Markup Integrity
- Completely Standard Markup - Qwicap uses no custom markup
tags or attributes, so the XHTML pages you design for use in Qwicap-based
applications can be fully standards-compliant, and their compliance can be
verified using the
standard HTML validation tools.
- Automatic HTML Encoding & Decoding - Any material
inserted into page markup is automatically HTML-encoded, so adding
material containing, for example, a left chevron (<), won't
corrupt your page markup. Conversely, if an application extracts material
from markup, the material is automatically decoded. Among other things,
this prevents double-encoding mistakes, if the material is reinserted
later.
- Automatic Integrity Checking - If the tag-hierarchy in a
body of markup is found to be invalid when an application asks Qwicap
to load it, Qwicap will throw an exception describing the error in
detail. This basic check avoids a lot of accidental page corruption.
- Automatic Input Verification, Error Messages and User Correction Requests -
Qwicap's user input retrieval methods accept criteria describing the valid values of
each input (minimum and maximum values for numbers, valid lengths and/or regular
expressions for strings; you get the idea). If the input received from the user
doesn't meet your criteria, an appropriate error message is generated and inserted
into your page just above the form from which the bad input originated, the form
controls are populated with the user's input (so the user doesn't have re-enter
their data from scratch), the label for the control that supplied the bad input is
highlighted, and the page is sent back to the client. Qwicap then
restarts your input retrieval loop for that page, and blocks until the user supplies
fresh input. You get all of this functionality automatically, just by invoking one
of the input retrieval methods. And if Qwicap's input validation criteria aren't
specific enough for you, you can do your own validation, and trigger all of those
automatic behaviors yourself, with a single method invocation.
- Transparent File Uploads - Applications can retrieve uploaded files
as easily as any other input from an HTML form.
- Transparent File Downloads - Applications can dynamically generate
material to be downloaded by the client. Qwicap produces a unique URI for you,
handles client requests for the material, and manages the whole life cycle of
the downloadable material, including automatically making it available for
garbage collection when the page that first used the material is no longer
"in play". [Qwicap 1.4 and later.]
- High-Level Form Manipulation API - Manipulate your form controls
abstractly, using the control names in the markup. Get their values, set their values,
enable and disable them, delete them outright, if you wish. Qwicap acts appropriately
for each type of control, so your code can limit its assumptions about the particulars
of each form. In many cases, control types can be changed outright, without affecting
the application code. Of course, if the high-level form API won't get you where you
want to go, you can still manipulate the markup directly using Qwicap's custom XML
engine.
- Custom XML Engine - Qwicap is built on a fast XML engine that
automatically provides markup caching and fine-grained sharing amongst the
multiple threads of web applications (or any Java application). The API for
manipulating markup is built around searches using
CSS
selectors, list processing, and method invocation chaining, so developers
already know its search language, and they will find that the API allows them to
perform an impressive amount of work with a single line of code.
- Zero JavaScript - You can add JavaScript to your pages if you wish, but
Qwicap makes no use of it whatsoever, so everything Qwicap does happens server-side
and works no matter what brain-damaged flavors of JavaScript your users' browsers
happen to support.
- No Metadata, No Configuration Files - Your code fully expresses how your
application functions. Its operation is neither controlled, nor modified, by any
metadata or configuration files. So you won't spend time learning another set of file
formats, or figuring-out how they affect your application.
- Simplified Deployment - Most Qwicap applications can use a generic "web.xml"
file, because Qwicap can automatically discover the entry point of the application.
[Qwicap 1.4 and later.]
- Not a Framework - Qwicap works hard to fit into your code, rather than
forcing you to slice & dice your code to fit into it.