Meet the experts: Roland Barcia on AJAX and WebSphere

WebSphere consultant Roland Barcia answers questions on building Web 2.0 applications with AJAX technologies on WebSphere®.

Roland Barcia, Certified IT Specialist, EMC

Photo: Roland BarciaRoland Barcia is a Consulting IT Specialist for IBM Software Services for WebSphere. He is a co-author of IBM WebSphere: Deployment and Advanced Configuration.

developerWorks Master author level

25 October 2006

Also available in Chinese Japanese


WebSphere consultant Roland Barcia answers questions on building Web 2.0 applications with AJAX technologies on WebSphere. He answers questions about invoking WebSphere applications from AJAX clients, which includes WebSphere Process Server, WebSphere Enterprise Service Bus, and WebSphere Application Server. Topics range from popular data transport forms (such as REST, JSON-RPC, and SOAP), tooling (such as the Eclipse AJAX Toolkit and Rational tools), or AJAX toolkits (such as the Dojo Toolkit and DWR). He also discusses how AJAX technologies integrate with IBM's SOA platforms.

Question: What are IBM's efforts to support the AJAX server side component framework?

Answer: Web 2.0 is very important to IBM®. IBM views Web 2.0 as critical piece of the service-oriented architecture (SOA) puzzle, serving as an on-ramp into the SOA enterprise. From a server side perspective, you can expect IBM to release several technologies in the coming months that allow services to be invoked by popular Web 2.0 protocols, such as REST and JSON. You can expect this technology to be used inside our WebSphere product stack. This includes products, such as WebSphere Portal, and the WebSphere Business Integration products, such as WebSphere Process Server and WebSphere Enterprise Server Bus. You can also expect to see Web 2.0 server side components in other programming languages as well, such as PHP.

Finally, you can expect Web 2.0 to become a major platform, with IBM building on top of Web 2.0 to provide enterprise level needs, such as security. Security is a big concern with AJAX-based applications. IBM is also working with the community through the Open AJAX Alliance, helping define industry standards.

Question: Which is the best AJAX toolkit to use? Can we use AJAX in WebSphere Developer Studio Client? If yes, then how?

Answer:"Best" is always dependent on your needs. I can tell you what my favorite frameworks are, but I do not know what you need. You should ask yourself the following questions:

  • Do you need a JavaScript framework that provides abstractions of asynchronous invocations?
  • Do you need a rich set of pre-built widgets and the ability to create your own widgets?
  • Do you need a server side framework that handles marshalling of AJAX requests coming in as XML or JSON?
  • Do you need a development environment to help debug your AJAX applications?

Here is a list of frameworks you can look at. Keep in mind that some of these are open source frameworks, and you have to get support from the supported communities of those frameworks.

Also, you can expect IBM to release soon Web 2.0 functionality as listed in the prior question.

Most AJAX-based frameworks are based on JavaScript, so you can use the JavaScript-based frameworks on WebSphere Developer Studio Client for iSeries. However, the Eclipse Toolkit will not work because it is based on a later version of Eclipse. You can consider using one of the browser debugging tools I listed above.

Question: Is it possible to invoke an external Web application from an activity in WebSphere Process Server as a sync call? Display this Web app to the user at that activity step in the business process, complete that activity by completing the Web app step, and move to the next step in the business process. If so, how would this be accomplished?

Answer: I believe you are asking if we support Human Tasks. The answer is yes. You can have a Web application page refresh itself to check if there is an activity using the Human Task Manager API. The steps would go something like this:

  1. A business process would call a Human Task component to create an activity.
  2. A Web page can use the Human Task API to access the activity on the queue. It is quite possible you can use some asynchronous AJAX request in the background to check every so often, making the notification appears close to real time.
  3. The user can then access the activity, enter the data, and move the activity to the next step (perhaps by invoking a Web service).

Here are some resources on the Human Task component of WebSphere Process Server:


Question: How do you set system properties in Rational Application Developer (RAD) V6.0? However, I don't want to define the system properties in WebSphere Application Server (hereafter called Application Server).

Answer: I am unclear to what exactly you need. You want to add system properties to the JVM with the Eclipse workbench running? You can enter command parameters when starting RAD using -vmargs. For more information, see The Eclipse runtime options.

Do you want to set system properties for J2SE applications that you are testing? For any other JVM you launch (such as a client application), the IBM launcher (invoked by Run) allows you to configure various types of Java applications and usually has an Environment tab.

Do you want to set system properties for the WebSphere Application Server V6 Test Server? This has to be done through the WebSphere admin console because the test environment for Application Server V6 in RAD is a full WebSphere Application Server.

Question: Can you suggest an appropriate strategy for managing the security of AJAX-based request for XML data through servlets, where the application is being developed as a portlet. (This will be later addressed when the Portlet 2.0 spec is available and a resource request is available.)

Answer: To begin with, you should secure your servlets using J2EE security roles. This will allow only authenticated browsers to get in. Security in general is a tough issue with AJAX. AJAX is both new and old. As with any Web facing applications, there are a number of "old" issues you should be addressing. See the following articles on WebSphere security hardening:

Beyond the "old", we must recognize that AJAX is a new powerful and complex technology that, while built on old ideas, when used in practice, has the potential to introduce new vulnerabilities. As such, it changes the nature of some things. For example, because people are sending more XML requests through the browser, you may likely experience the increased risk of XML threats. A solution might be an SOA appliance, such as DataPower, which specializes in XML threats. For more information on this, see Comment lines: Bill Hines: The (XML) threat is out there.

In addition, the client is at risk from malicious JavaScript that could be inserted in response handlers. Make sure your browser is only executing JavaScript from a trusted server site. For example, Mozilla® allows for execution of signed scripts only.

When considering Web 2.0 sites, you need to consider all of the following:

  • Many hacks are possible (and have been done) using JavaScript.
  • Keeping state on client raises risks - is it protected?
  • Code on client raises risks - can I determine how your system works? Too much business logic in the browser can be a serious risk and expose business procedures.
  • Can the browser be tricked to run evil code more easily?
  • Javascript in the browser can even hack companies from within their corporate network.
  • On the server, some other concerns may be:
    • Exposing many fine grained services over the Internet will increase attack surface.
    • SQL and XML injection to the server.

There is much unknown with AJAX and Web 2.0 as far as security, and only through time and maturity will we discover all the possible threats. For more information, see AJAX and security.

Question: Doesn't AJAX break model 2 programming and take us back to include non-presentation logic in our Web pages like the bad old days? Isn't this just another kludge to try and emulate real desktop GUI application capabilities?

Answer: The answer is "it depends". Taking a step back, let's look at Model 2, which is a J2EE programming implementation of the MVC pattern. Figure 1 below illustrates Model 2.

Figure 1. Model 2
Figure 1. Model 2

In the J2EE Model 2 architecture, a servlet is the UI controller, responsible for getting input data, calling some back-end business logic, and then deciding what JSP to forward to. The JSP renders the page. However, there is also the notion of an application controller, sometimes implemented within the session facade layer, which controls lower level tasks to invoke, and then builds some type of response.

Similarly, consider those application controllers (or facades) exposed as Web services. Usually a Web service framework contains some front servlet that is responsible for taking in some SOAP input, marshalling the input to some back-end service, taking the response, and generating XML mark-up instead of the HTML mark-up.

AJAX gives us the opportunity to invoke services directly from the browser. If you invoke these services through some model-view-controller framework like Struts, you wind up with MVC Bloat as shown in Figure 2.

Figure 2. MVC Bloat
Figure 2. MVC Bloat

However, in the Web 2.0 model, some of the controller logic and rendering logic can be offset to the client (see Figure 3).

Figure 3. Web 2.0 model
Figure 3. Web 2.0 model

In this case, your Model View frameworks, like Struts and JSF, are responsible for the initial rendering of the page, using traditional Model 2 architecture. However, from that point forward, some of the UI controller logic can be offloaded to the client.

Keep in mind that business logic and secure data should be maintained on the server. AJAX gives you the possibility for a much more scalable and stateless middle tier. However, I believe that until some of the security concerns are worked out, we may see a mix for sometime to come (see the prior security question). An SOA Appliance optimized for security, like Data Power, can probably help move towards that vision faster.

Question: I am installing WebSphere Process Server in a 4 step installation process. My IBM WebSphere Integration Developer installed fine, but as soon as the third step, which is "installation of WebSphere Application Server Network Deployment and WebSphere Process Server", I am getting an error like this in the log. I tried to manually update the wps_install.bat file so that I can get the values of WAS_SRC=%~1 and WID_TARGET_DIR=%~2, but all my efforts failed. The launchpad is failing to invoke the third step of the installation and the log file shows this error:

(Sep 16, 2006 9:06:11 AM), Install,, err, Error when 
getting Resource Path: File does not exist: c:\software\

(Sep 16, 2006 9:06:11 AM), Install,, err, Error when
changing permission of files: ServiceException: (error code = 399; message = 
"/wps_install.bat does not exist"; severity = 0)

(Sep 16, 2006 9:06:11 AM), Install,, err, IO Error 
when Execute commands: CreateProcess: /wps_install.bat  
C:\WID\WebSphere error=2

Answer: I would open a PMR for a problem like this and have IBM support help you. You can check Troubleshooting installations and updates to WebSphere Integration Developer. In general, I have seen similar problems when running out of disk space, not having proper permissions on the machine, or running an installation from a network install directory. In general, after the install for WebSphere Integration Developer finishes, you can run the wps_install.bat by itself.

Question: I am doing JMS pointtopoint queue messaging. I am getting the following error:

javax.naming.NameNotFoundException: Context: blrkec32515d/nodes
/blrkec32515d/servers/server1, name: jms/QCF: First component in name 
QCF not found.  Root exception is
 (Unknown Source)
 at javax.naming.InitialContext.lookup(
 at PointToPoint.<init>(
 at PointToPoint.main(
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke
 at sun.reflect.DelegatingMethodAccessorImpl.invoke
 at java.lang.reflect.Method.invoke(
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
 at java.lang.reflect.Method.invoke(

Answer: WebSphere Application Server supports many JMS providers, including the built in Service Integration Bus and WebSphere MQ. From your question, it is unclear which one you are using. See the following articles on how to configure JMS in WebSphere:

If you are using resource references, remember to pre-qualify your JNDI lookups with java:comp/env.

Question: This is the error shown from an auto-generated .wsdl file in WebSphere Integration Developer v6.0.1:

  1. cvc-attribute.3: The Value "of attribute 'name' on element 'definitions' is not valid with respect to its ,'NcName'.
  2. cvc-datatype-valid.1.2.1: "is Not a valid value for 'NcName'.

Below is my .wsdl file:

<?xml version="1.0" encoding="UTF-8"?>

<definitions xmlns=""
humantask/AcceptQuoteHT" xmlns:ns0="http://QuoteBusinessIntegration/com/
BusinessRules" xmlns:plnk=""
/AutoQuoteCGBSInterface" xmlns:xsd="" 
name="" targetNamespace="http://www.QuoteBusinessIntegration.process

  <plnk:partnerLinkType name="CreditScoreBridgePLT">

    <plnk:role name="CreditScoreBridgeRole">

      <plnk:portType name="wsdl0:CreditScoreBridge"/>



Answer: The definitions clause could contain the attribute name="". Either that attribute should not exist (my preference), or it must have a value.


The author would like to thank Joseph Sharpe, Keys Botzum, Robert Peterson, Tom Kristek, and Russell Butek for their help in preparing this article.



developerWorks: Sign in

Required fields are indicated with an asterisk (*).

Need an IBM ID?
Forgot your IBM ID?

Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name

The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.


All information submitted is secure.

Dig deeper into WebSphere on developerWorks

Zone=WebSphere, Open source, SOA and web services
ArticleTitle=Meet the experts: Roland Barcia on AJAX and WebSphere