BT

Overview of the Curl Enterprise RIA Platform

| by Jon Rose Follow 0 Followers on Jun 13, 2008. Estimated reading time: 5 minutes |
In this post, InfoQ.com discusses the platform with Curl, Inc. VP of Developer Relations Richard Monson-Haefel. Curl is a platform for building Enterprise RIA applications. Monson-Haefel covers the Curl programming language, IDE, and client side runtime. In addition, he highlights why you might consider using Curl over Adobe AIR and Flex when building RIA’s for the enterprise.

Monson-Haefel began by providing an overview of Curl:
Curl was founded in 1998 based on MIT research and was the first RIA platform before the term “RIA” was even coined. The Curl rich Internet application platform is focused on building high-performance mission-critical business applications.

The Curl programming language is the foundation of the Curl platform and combines the strengths of markup languages, scripting languages and heavy-duty object-oriented programming languages. Curl is able to simplify the development of applications that require more than one of these capabilities because of its strong support for all three of these models within a single unified language.

Developers who are frustrated by the performance limitations of other platforms and want to create highly-interactive applications that are able to run with the full power of the client machine should consider taking a look at Curl. Many of our customers have found (sometimes after attempting to use Flex) that Curl's security, functionality, and performance enables them to do things that they couldn't do before. With Curl, even highly sophisticated applications can be implemented as RIAs without sacrificing performance or development speed.

If a developer is still investigating RIA platforms best suited for their application’s needs, we think that they owe it to themselves to evaluate Curl as a serious alternative to some of the other available platforms.
InfoQ asked Monson-Haefel to share more about the client side runtime:
Curl, Inc. maintains two software products based on the Curl programming language: the Curl integrated development environment (or IDE) and the runtime environment (or RTE). The Curl RTE is the engine for executing and displaying Curl applications in the same way that Adobe Flash is the engine for running Flex applications.

The Curl runtime is much faster than the Flash runtime and can also provide on-line/off-line and in-browser/out-of-browser applications with local storage. So its equivalent to Adobe Flash and Adobe AIR only it’s much more secure – it has to be more secure to run as an enterprise platform. We did a benchmark comparing Curl to Flex and found it to be 8 to 10 times faster. You can check out the benchmark here.

We recently announced an Eclipse-based beta version of the RTE and IDE (now called the Curl Development tools for Eclipse or CDE) as we transition all of our development tools to the Eclipse framework, opening up Curl to a whole new community of developers.
InfoQ followed up asking about market penetration of the client runtime:
After seeing very strong success in Japan with over 300 customers and 40 partners, Curl re-launched into North America in April of 2007. Given that, most of Curl’s customers are in Japan but we are seeing strong demand from many North American companies for a high-performance RIA platform like Curl.

Regarding runtime market penetration, Curl was never intended to be a mass-market technology and we have no intentions of trying to compete against companies like Adobe on their huge install base. Most Curl applications are deployed behind the firewall so that runtime install numbers are not a concern.
Monson-Haefel discussed the IDE in more detail:
Curl has a full-featured IDE that includes drag-and-drop visual editing, syntax-sensitive editing with auto-completion, a debugger with breakpoints, extensive data inspection facilities, performance profiler, source-code-control integration, extensive documentation and much more. Curl also includes a robust set of libraries which are on par with Java in terms of depth and breadth.

Although Curl developers tend to be programmers rather than designers, Curl designers do use Adobe Photoshop and Illustrator to create artwork that can be easily integrated into Curl applications.
Monson-Haefel on how to get started with Curl:
The best way to get started is to go to the Get Started with Curl web page. Also check out some of the Curl demos on the Curl Developer community site, get your hands dirty and download the IDE, and join the Curl Community to decide for yourself if Curl is a best fit for your application. Our community is extremely responsive – most questions get answered within a couple of hours or less.
InfoQ asked about integrating Curl with other RIA technologies:
The latest full version of Curl, Version 6.0, makes it even easier than previous versions to integrate with other RIA technologies like JavaScript and Ajax. Curl applications are able to make calls to JavaScript APIs in the surrounding Web page, and can also be controlled from JavaScript in the surrounding page. Version 6.0 also includes support for parsing and creating data streams in JSON format. These features allow Curl to be use for building enterprise-class mashups that include data accessed using existing JavaScript APIs.
Monson-Haefel on Curl licensing:
Curl offers BASE versions of the IDE and Deployment Licenses that are free, fully functional, and are able to create applications with the full strength of the Curl language and platform. Commercial use is restricted to Web applications that are invoked through publicly visible URLs, do not use https and are free to end-users.

Curl also provides PRO versions of the IDE and Deployment Licenses that augment the BASE versions with additional security, performance and maintainability for enterprise-class applications.
InfoQ inquired on what types of developers should consider using Curl:
Curl is focused primarily on enterprise developers responsible for building mission-critical applications, so we are open to all kinds of developers. The language is actually pretty easy to learn and you only need to learn one language to do markup, style sheets, and full-blown object oriented programming.
Monson-Haefel points to a few sample applications:
A number of sample Curl demo applications are available at the Curl website including a stock performance calculator and a Facebook social graphing tool and timeline viewer that utilize the latest version of Curl, Curl Nitro. Being focused on the enterprise means most of our clients applications are not for public consumption – we are working on putting out more demos in the future.
In closing, Monson-Haefel shared:
It is important to understand that while there are there are many tools available for developing enterprise-strength applications, some tools, no matter how popular, are not always the best choice for all cases.

Curl was specifically built for the enterprise and is currently in its sixth version with proven results in enterprise implementations, while other tools are only now being used in the enterprise with varying results.
Learn more on the Curl site. In addtion, InfoQ featured a discussion on the Curl benchmarks last week.

Rate this Article

Adoption Stage
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Security by Christopher Brind

In what way is Curl secure where Flex is not? I keep seeing security being mentioned but I need to see a direct comparison against Flex (and others if you really want). Thanks in advance.

Re: Security by Richard Monson-Haefel

Good question. The Flex framework runs on the Flash runtime and the Flash runtime has suffered from a number of exploits, many of them very recently. To get an idea of the number of exploits Flash has experienced in the wild take a look at the OSVDB exploit database for (osvdb.org/search?page=4&request=Flash) and compare it to the number of exploits for Curl (osvdb.org/vendors/search?name=Curl) for which there are none.

Note: cURL (little 'c') is not the same as Curl (big 'C'). cURL is an unrelated open source project to the Curl RIA platform. It has a couple of exploits listed but the Curl platform has none.

The fact is that security has always been the primary concern when developing Curl over its six generations dating back before 1998. We call it "Job #1".

Just as the Windows platform, by virtue of its ubiquity, is the major target of hackers so too is Flash. We are not interested in becoming a ubiquitous player in mass-consumer applications - we focus on the enterprise. As a result Curl is primarily used behind the fire wall and is not even on the radar of the hacker community. The exact opposite can be said for Flash. Customers who use Curl get a platform that is not only secure from the bottom up, its not even a target of hackers so there are no exploits in the wild. The same cannot be said about Flash.

Re: Security by Jon Rose

Richard, Thanks for giving us such an excellent interview. Curl sounds like a very nice technology for building RIA's. On the security point, is it really relevant to compare it to Flash in this way? In the interview you suggest Curl is for really a much more narrow set of deployments:


Regarding runtime market penetration, Curl was never intended to be a mass-market technology and we have no intentions of trying to compete against companies like Adobe on their huge install base. Most Curl applications are deployed behind the firewall so that runtime install numbers are not a concern.


So, would this really be a high point of concern if one is comparing the two technologies for deployment of an enterprise application within such a controlled environment?

Re: Security by Richard Monson-Haefel

So, would this really be a high point of concern if one is comparing the two technologies for deployment of an enterprise application within such a controlled environment?


Absolutely! Just because a user is behind a firewall doesn't mean that end-users (the secretary, developer, VP of Sales, etc.) doesn't have access to the Internet and can't run Flash or download an AIR file. In many cases they do and that is the dangerous part. Ask yourself this: If you are at work right now and you are behind your corporate firewall can you access flash content? I'm betting that most people can which means that everyone of them is now vulnerable to Flash exploits. And don't even bring up AIR which is a nightmare all its own. Flash should be banned from the corporate intranet - its great for animations and video but for the enterprise its simply too dangerous of a platform.





Richard Monson-Haefel
VP of Developer Relations
Curl, Inc.

Re: Security by Jon Rose


Flash should be banned from the corporate intranet - its great for animations and video but for the enterprise its simply too dangerous of a platform.




Interesting statement! I did a quick search on IE & Firefox in the osvdb.org database. I see many-many scary things in there for them too - would you suggest they should meet a similar fate in corporate Intranets?




osvdb.org/search?request=Firefox

osvdb.org/search?request=IE



To me, it seems that security vulnerabilities are a reality with any platform that reaches mass adoption. The real question on security within a widely adopted platform is how quickly an effectively are issues addressed. Also, there are of course significant benefits to mass adoption that help to offset this concern.




To that point, many Java developers select Flex because it fits well with what they are already doing (same IDE, BlazeDS is Java, etc..). Also, they can count on most / all users having the runtime - making deployment easy. If they are willing to give up the niceness of the Flex / AIR deployment model, why not just use Java to build RIA's?

Re: Security by Richard Monson-Haefel

Interesting statement! I did a quick search on IE & Firefox in the osvdb.org database. I see many-many scary things in there for them too - would you suggest they should meet a similar fate in corporate Intranets


Giving up browsers and giving up a browser plug-in are pretty different. You can't do boo without a browser so you need to support that in the enterprise. The same is true with the Windows operating system - its simply not realistic to ask the enterprise to ban Windows from the enterprise yet the number of security issues with that platform are astounding. I use a Mac and don't suffer the same problems as Windows users. The point is: Flash provides animations and video streaming which are nice, but they are not mission critical the way browsers are. Also many of the browser security issues are related to Ajax support which is also pretty insecure.




It's an easy step for enterprise security people to block SWF content - it's not like there are mission critical flash applications in the wild. Flash is a "nice to have" but not essential in the same way that Windows and HTML browsing is.




Richard Monson-Haefel, VP of Developer Relations, Curl Inc.

Re: Security (does that mean Curl will stop using flash?) by Duane Nickull

But Richard:



If flash is too dangerous for the enterprise, how will potential Curl customers view the SWF intro on curl.com? Does this mean the following lines of code and flash are coming off the curl.com homepage?



PS - sorry buddy - couldn't resist ;-)



&#lt;object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=8,0,0,0" width="908" height="222" id="Nitro_home_animation" align="middle"&#gt;
&#lt;param name="allowScriptAccess" value="sameDomain" /&#gt;
&#lt;param name="movie" value="Curl_home_animation4.swf" /&#gt;&#lt;param name="quality" value="high" /&#gt;



Seriously, from a security standpoint, I trust widely tested technologies (which is why I love Linux, Unix, Webkit etc.). No technology is 100% safe from hackers. As you have debriefed me and Adobe in your previous job, you do know that Adobe takes security extremely seriously. Adobe is quick to respond to any vulnerability and publish security information very promptly, have one of the quickest updating mechanisms in the world. I am glad to see Curl doing the same. We're all fighting a common hacker element/mindset.



I would suggest that some of the above information may mix up cause and effect. Due to very wide deployment, Flash and Flash Player has been targeted by a huge number of hackers. Any widely distributed technology is going to be much more of a target for hackers so given Flash's wide reach, it is logical many more hackers have tested it and found exploits (which have been closed). Browser vendors have had some pretty scary vulnerabilities too (as noted by Jan below) but they have fixed (most of) those. I don't see any reason to use that as grounds for stopping use of Browsers in Intranets.



Normally I agree with your POV but had to call this one. Curl is cool, so is Flash. They each have strengths. I consider both very secure.



Duane Nickull

"Speaking only for myself"

Re: Security (does that mean Curl will stop using flash?) by Richard Monson-Haefel

To be honest, asking corporate IT to ban every technology that has a history of exploits is like fighting windmills, but if I were running an IT shop I would much rather run it on secure platforms. Maybe that's just me.




Anyway, we do use Flash on our public facing web site because the context we use it in, product advertising, is exactly the right application for that technology. Curl, which is not a mass-consumer technology wouldn't work on a public facing banner.




Of course you are right. Both Adobe Flex/AIR and Curl have their strengths and they are both pretty cool technologies. I love some of the really cool flash animations I've seen out there and I give Adobe a lot of credit for their penetration in the market. What spawned this conversation, however, was a question about why we (Curl) are always talking about security. Any way you slice it, Curl is a more secure platform than Flash/Flex/AIR.




I know the Adobe folks work hard at security - just as Microsoft works hard on security - but that doesn't mean they are less of a target for hackers. Like Microsoft their penetration in the mass-consumer market makes them a huge target and exploits - despite everything they do - will only become more sever and more frequent over time.




Richard Monson-Haefel
VP of Developer Relations
Curl, Inc.

Flex is the chosen RIA platform of choice by SAP, Oracle and Salesforce.com by Matthias Zeller

Disclaimer: I am a Group Product Manager for Adobe (but I don't work in the Flex team).
When choosing a RIA platform to develop the User Experience for Enterprise Applications total cost of ownership is an important criteria. How easy is it to embed these RIA applications with your existing application investment? How many developers know the technology? Is the technology vendor you are choosing established and viable over time.
When developing backend applications you certainly would not pick an obscure development language over Java (or other established languages) just because the obscure language is safer because no one uses it.
I think it is irresponsible of Richard to state that IT departments should block Flash and that it is not used for mission critical applications in the enterprise. Both SAP and Oracle (the two largest enterprise application software companies) use Flex. SAP has been using Flex for many years for all of their analytical applications. Business Objects (now an SAP company) is using Flex extensively for their latest suite of Business Intelligence applications. Flex Builder is supported as a plug-in for the SAP NetWeaver Developer Studio. Flex and Flash applications can be embedded in SAP's UI framework Web Dynpro and that is fully supported by SAP (see Klaus Kreplin, Executive VP for NetWeaver, www.youtube.com/watch?v=l9SfUXD_VDI).
Visit SAP's, Oracle's or Salesforce.com's developer networks and you will find many examples and tutorials on integrating Flex with their applications.

Re: Flex is the chosen RIA platform of choice by SAP, Oracle and Salesforce by Richard Monson-Haefel

Some responses to your post:

Is the technology vendor you are choosing established and viable over time.

Actually, Curl is far more established than Flex in many respects. For one we've been in the RIA game much longer (since 1998). As far as RIA goes, Flex just got here. Second we have far more Enterprise deployments than Flex (over 300 industrial strength applications). We are also not a fly by night company - Curl is a subsidiary of Sumisho Computer Systems of Japan a global company with revenues of 1.1 billion and over 3 thousand employees. We are not going anywhere.




With regard to Salesforce, Oracle, and SAP: They will embrace the technology that provides them with the most benefit at the time. In the past that was Flex - the future is not as certain. I can see Curl developing strong relationships with all of these companies - something I cannot comment on now but something that you should be looking for in the future. Don't count your eggs just yet Adobe.

How many developers know the technology?

Adobe has put a lot of marketing money into trying to convince people that ActionScript is a mainstream language but its not. Just take a look at the TIOBE Programming Index. In terms of popularity ActionScript is ranked 20th. Languages such as "D", Lua, Ada, and Lisp are more popular than ActionScript. Hardly evidence of a programming language that is anything other than obscure. Fact is the population of ActionScript developers is very small and at 0.34% not even statistically significant.




TIOBE Programming Language Index


www.tiobe.com/index.php/content/paperinfo/tpci/...

Re: Flex is the chosen RIA platform of choice by SAP, Oracle and Salesforce by Neeme Praks

Not that I care much about Adobe, but...


Adobe has put a lot of marketing money into trying to convince people that ActionScript is a mainstream language but its not. Just take a look at the TIOBE Programming Index. In terms of popularity ActionScript is ranked 20th. Languages such as "D", Lua, Ada, and Lisp are more popular than ActionScript. Hardly evidence of a programming language that is anything other than obscure. Fact is the population of ActionScript developers is very small and at 0.34% not even statistically significant.

TIOBE Programming Language Index

www.tiobe.com/index.php/content/paperinfo/tpci/...





As you probably know, ActionScript is fairly similar to (based on) JavaScript/EcmaScript (#9 in the TIOBE list). And by the looks of it, it is on it's way up (for more information, refer to wikipedia article: en.wikipedia.org/wiki/ActionScript).




And, if you are already bashing ActionScript, perhaps you should also mention the fact that Curl programming language is ranked only in the range of 50-100. If I had to choose between Curl and Flex, based on how easy it would be to find competent developers, I would choose Flex, no question about it. Curl is a niche product and probably a very nice niche product, but still - a NICHE product. So, if I would start a comparison "Curl vs. Flex", I would not start to pick on the fact that ActionScript is not widely adopted (yet).

Re: Flex is the chosen RIA platform of choice by SAP, Oracle and Salesforce by Duane Nickull

Just to set the record straight:



1. Using the TIOBE index, AS is actually in the top ten of all "scripting" languages, Perl, Python being the most popular (I love Perl). I prefer to separate these out from programming languages.



2. Flex and AIR applications are in fact compiled into SWF's (commonly known as Flash). These do implement the Actionscript Virtual Machine based on ECMAScript 262, an ECMA standard. The current version was added in Flash Player 9 as ActionScript 3.0 with the advent of a new virtual machine, called AVM2 (ActionScript Virtual Machine 2), which coexists with the previous AVM1 needed to support legacy content. Although a bit different, it is very close to being ECMA 262 compliant.


Re: Flex is the chosen RIA platform of choice by SAP, Oracle and Salesforce by Richard Monson-Haefel

First of all, ActionScript is not JavaScript. ActionScript actually follows a more advanced version of ECMAScript so the idea that the languages are interchangeable is at best wrong. That said, its likely that JavaScript developers will be able to transition to ActionScript more easily - on a syntax level. But don't forget that there is an entire Flex framework to learn not to mention the MXML syntax which is not like JavaScript at all.




Second, the fact that ActionScript has less than 1/3rd of 1% traction and Curl as something less only means that both languages have small communities. That was the point. The room for error on the TIOBE Index is at least 2% meaning that you can't say with conviction that Flex has a much larger development community than Curl. It may be larger but at those low levels its hardly compelling for Flex.

Re: Flex is the chosen RIA platform of choice by SAP, Oracle and Salesforce by Richard Monson-Haefel

Looking back at this post I have to admit I'm embarrassed. Curl need not be so negative about our competitors. I've posted an apology to Adobe on my own blog which people can read at theclevermonkey.blogspot.com/2008/06/fair-play-....

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

14 Discuss

Login to InfoQ to interact with what matters most to you.


Recover your password...

Follow

Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.

Like

More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.

Notifications

Stay up-to-date

Set up your notifications and don't miss out on content that matters to you

BT