ADT's Programmers Report: Open-source servers today -- ADTmag

ADT's Programmers Report: Open-source servers today

By Colleen Frye
June 3, 2002

If open-source operating systems and Web servers can go mainstream, can open-source application servers be far behind? Already, the likes of Tomcat, Zope, Enhydra and JBoss boast development communities devoted to moving open software forward, and corporate IT has started to test the waters. Some of these products are all the app server many users need. And many are supported by commercial software makers. But questions remain. Can open-source application servers scale? Will management tools be available? Will commercial versions of open-source application servers really be open? Will maintenance and support be readily available? Another question: How important is full J2EE compatibility?

'Without EJBs, [an application server] can't call itself a J2EE server,' said James Governor, a London-based analyst with Illuminata. Full-blooded J2EE servers come under the aegis of Sun's Java Community Process, but are not strictly open source. And J2EE certification, he said, is expensive, which impacts a vendor's ability to maintain the low-cost pricing model of open-source software. But many businesses want a J2EE-compliant product, 'even though most applications don't use that capability,' said Governor. 'A lot of ISVs are throwing good money away at the moment.'

If the history of Linux and Apache provides a roadmap, though, observers say corporations will likely strike a balance, utilizing both open-source and commercial application servers. 'Both have their place,' said Governor. 'It's about balance. People don't want to make gambles, but when they see vendors they trust supporting this stuff, they'll go forward with it.'

Striking a balance
Organizations should look at not only striking a balance between open-source and commercial products, but also between low- and high-end servers, according to research firm Gartner Inc., Stamford, Conn. This way, they will get better value for their money. Rather than standardize on a single-platform application server architecture, Gartner recommends using a low-end server for less-demanding, user-facing applications and a high-end application server for transaction-heavy applications.

Gartner reports that many companies have been paying big bucks for products that have more capacity than they actually need, which the firm chalks up to a lack of architectural planning and 'the blind adoption of vendor-promoted technology.' Gartner divides application servers into two groups: low-end, which support servlets and JSPs, but typically not EJBs; and high-end, which typically support EJBs and Java messaging, and handle large transaction volumes.

From 1998 to 2000, enterprises spent more than $1 billion for application server capacity they never used, according to Gartner. For example, Gartner found that during the past three years, 80% of Java deployments did not utilize EJBs, but 60% of the application servers deployed were high-end and EJB-capable. By 2003, according to Gartner research, 60% of all new J2EE application code will remain JSP/servlets only, and at least 70% of new applications will be deployed using high-end servers. As a result, Gartner projects companies will spend an additional $2 billion on wasted capacity from 2001 to 2003.

Research from Stamford, Conn.-based Meta Group is in lockstep here. Meta cites that while only 10% of corporate-developed Java apps use EJB servers, nearly 90% of Global 2000 company purchases are for EJB-capable products. According to Meta, 'Price differentials between commercial EJB- and non-EJB-capable versions range between 60% and 80%, and the combination of Tomcat and Apache can provide the necessary services for free.'

Added Illuminata's Governor, 'Smart users are questioning their expenditure on Java-based application servers; I think Apache and Tomcat will be part of the enterprise arsenal.'

In the open-source space, there are both low- and high-end app servers, although none as yet with J2EE certification. A look at where they came from might provide some insight as to where they are going.

Apache/Tomcat
The Apache Software Foundation (ASF) is an outgrowth of The Apache Group, which was formed in 1995 to develop the Apache HTTP Server. According to the Netcraft Web Server Survey, January 2002, 56% of the Web sites on the Internet use Apache. Among the Fortune 1000, according to an October 2001 Meta Group report, 19% of these firms use Apache. No matter how you slice the data, Apache has achieved solid acceptance. Credit IBM with much of the muscle, and money, behind Apache.

'IBM funded much of the development of Apache,' said Mark Karaman, president of Solvepoint Corp., a management and technology consulting company in West Chester, Pa. 'They derived the benefit from open source and turned it into WebSphere.' XML and SOAP extensions that position Apache as a fuller application server have been among recent innovations.

Tomcat is an open-source implementation of Java servlet and JSP technologies developed under the Jakarta project at ASF.

Various vendors offer commercial versions of both Apache and Tomcat. Covalent Technologies, for example, offers the Enterprise Ready Server (ERS), a Web server product designed to minimize the resources required to deploy and manage Apache Web servers. The product provides a distributed graphical management tool for the Apache Web server, combining Apache 2.0 with Tomcat.

'The one thing Apache has been missing all along is [an] 800-number,' said Jim Zimmelin, vice president of marketing at San Francisco-based Covalent.

The fact that Covalent offers management solutions for Apache is a plus, said Illuminata's Governor. The lack of management tools for open-source vendors on the J2EE side, he noted, 'I see as a problem. The only company I'd point to at this point is Covalent; they're doing wonderful things around Apache management.'

Sun J2EE certification is not available for servlets-only platforms; however, 'Tomcat implements the majority of the J2EE standard; the pieces it doesn't implement, most people seem to be comfortable [with the idea] they don't need [them],' said Covalent's Mark Douglas, senior vice president of engineering. 'And the cost of adoption is lower [if you] go with Tomcat.'

New Mexico Mutual Casualty Company (NMMCC), Albuquerque, is a Covalent customer. 'We wanted the flexibility of Apache, but still [wanted to] have some kind of technical support and security assurances,' said Tim Thackaberry, Web administrator.

Thackaberry could have built what the firm needed without Covalent, but going through Covalent was more convenient. 'With Covalent, we have an SSL-enabled server out of box without having to install it ourselves; but I could still go in and undo what they've done,' he said.

Covalent's Douglas said the firm is 'a hybrid between an open-source software model and a proprietary software model. We build proprietary software on top of the open-source Apache core -- like management and security -- that aren't easily developed in [the] open-source world and which our customers are glad to pay for.'

NMMCC has a Web application, which was written in Perl, running on Covalent Apache Web servers, over Red Hat Linux. The application allows the firm's insurance agents to handle all aspects of NMMCC's auto and home policies serving New Mexico and Arizona. The company gets about 1 million hits a month.

NMMCC's Thackaberry said he chose to use the Resin XML app server from Caucho Technology Inc., San Diego, rather than Tomcat. Resin implements the latest servlet, JSP, EJB and XML specifications, and is available under the Caucho Developer Source License, which Thackaberry said is inexpensive. 'I have the source code and I can modify it. Resin does have some secondary technology that does do EJBs, but EJBs are too complex for our needs; possibly we'll do that in the future,' he said.

NMMCC had some initial resistance to going with an open-source solution, said Thackaberry. 'You know the stereotype -- it's not always going to work, it won't be secure -- but once we got it up and running and it never crashed' those fears were alleviated, he said. And in terms of maintenance, Thackaberry said it has been a piece of cake. He joked, 'It's Apache, man. It runs itself!'

Zope in the forefront
Another open-source application server is Zope, which Zope Corp. (formerly Digital Creations), Fredericksburg, Va., originally developed as part of its consulting arsenal. The software was released as open source in November 1998.

'With open source, it lets you grab market share and establish momentum on the cheap,' said Paul Everitt, one of Zope Corp.'s co-founders. Today, said Everitt, Zope has a life of its own. According to zope.org, there are more than 20,000 developers around the world contributing to Zope. Zope now targets the enterprise content management market, developing solutions based on the open-source Zope app server and its Content Management Framework (CMF), typically deployed behind the Apache Web server.

Zope was developed with the Python language, an interpreted, interactive, object-oriented programming language. Everitt was a founding organizer of the Python software community; the Python Labs team is now part of Zope Corp.

The U.S. Navy recently used Zope Corp.'s solution to prototype a document management system for coordinating and tracking engineering changes to equipment, enabling the Navy and its contractors to collaborate securely and efficiently. The legacy application it would replace currently runs 1,000 large engineering documents a year, with many attachments, explained Jim Glenn, Internet Branch Manager, U.S. Navy -- NCTS Pensacola, SPAWAR SSC Charleston. Glenn said the application represents integrated product teams across one-third of the Navy's logistics group. The Navy has put the prototype on hold for now, but Glenn said he hopes to resume work on the Zope app in a few months.

Glenn began using Zope before it was open source. He and Zope Corp.'s Everitt were in the Navy together, and Everitt 'helped me bring up the Navy intranet site,' said Glenn. Later, when Glenn had a short deadline to bring on a major Navy database, he went back to Everitt, who showed him Zope. They completed the project in three and a half weeks.

Glenn said he 'can't afford to put all my eggs in one basket,' so he tries to keep on top of a variety of technologies. For example, 'I have Java programmers working in parallel to Zope developers. It takes more to find a good Java programmer than a Python programmer; Java programmers are usually certified, but with no experience. It's not easy to find someone on [the] street, but you can with Python because of open sourcing,' he said.

Glenn said his experience with Zope flies in the face of typical knocks against open-source application servers -- that they do not scale and maintenance will cost more in the long run. 'Scaling isn't a problem if you're talking about the size of the application. And with maintenance on Zope, if anything needs to be upgraded, you just download it and run tests; it's just your own staff time,' he said. And while personnel is often cited as an organization's most expensive cost, Glenn said he finds that doing the maintenance required with open source keeps technical skills sharp, 'so it cuts development time in half.'

Does the fact that Glenn's Zope solution is a commercialized app from Zope Corp. make it any less open than if he downloaded and built it himself? According to Glenn, 'It's about 95% to 98% open, as open as anything else I've seen. Digital Creations [now known as Zope Corp.] has been [a] little bit more free with its software than most, but they control where it's going next.'

Enhydra
Enhydra is an open-source Java/XML application server created by Lutris Technologies Inc., Santa Cruz, Calif., which open sourced the software in January 1999. Enhydra features the Enhydra XMLC technology, an object-oriented standards-based replacement for JSP. Enhydra also provides plug-ins for leading IDEs, such as Borland's JBuilder.

Like Zope, Lutris began life as a consulting company that released its software into the public domain. Unlike Zope, though, Lutris recently took its application server efforts out of the open-source world and into the J2EE-licensed domain. Java originator Sun's certification stipulations played a role in this decision. Lutris's chief evangelist, David Young, said that while servlet programming meets about 75% of customers' needs, 'J2EE has taken on a pretty heavy brand recognition. We saw it as an imperative that we also embrace J2EE and launched our product in August.' The Lutris EAS 4.1 application server enables a full enterprise J2EE solution.

Young acknowledged that Lutris's decision created a stir among open-source advocates. 'I don't think people were real happy. In order to shift our focus to J2EE, we had to move all of our attention to it. Enhydra took on a life of its own; enough people have become experts that Lutris wasn't needed to keep the flag waving,' he said.

So does Lutris believe that an open- source business model will not work? 'Yes, we've gone public about that, particularly in the application server market; the people downloading Enhydra aren't the same ones making purchase decisions; we needed to focus on those decision makers,' he said.

But, Young added, 'by no stretch have we abandoned open source. But rather than our core, it's an element of our development strategy.' Young said Lutris will soon announce two new open-source projects on the micro server side.

Dave Bouvier, technical lead at Electronics For Imaging Inc. (EFI), which does software and hardware imaging solutions for network printing, is comfortable with Lutris's decision. The Foster City, Calif.-based firm will use Lutris EAS as well as Enhydra to build an e-commerce printing app targeted at print buyers/printers.

'I have experience building Web applications based on Java application servers. When I came to EFI, I was going to build a system based on a lot of Apache- and Jakarta-based software,' said Bouvier. 'Velocity was going to be the UI presentation layer. I came across Barracuda, which led me to Enhydra, which led me to Lutris.' Velocity is EFI's workflow solution. Barracuda is an open-source presentation framework and a project of enhydra.org.

Bouvier said the application will run in both open-source Enhydra and Lutris EAS; the version EFI offers in an ASP model will be based on EAS. 'One reason I chose Lutris is that there is the open-source version; for certain customers, where cost is a critical factor, we wanted a low-cost solution. The service available to everyone in the ASP model will be based on the commercial [EAS] version. There's more performance, and you have the ability to do clustering, which you don't have with the open-source version,' he said.

While Bouvier and Lutris's Young feel Enhydra can continue to develop without Lutris, others are skeptical. 'If Lutris is not open source, it says something about what will happen to Enhydra,' said Illuminata's Governor. 'We don't know what's going to happen with Enhydra. For people who are hard-core, open-source bigots, it would tend to drive them toward using JBoss,' he said.

Here comes the JBoss
JBoss is an open-source application server based on the J2EE specification and implemented in pure Java. It is available for free download under the LGPL license. JBoss, however, is not J2EE certified. In a statement posted on the jboss.org Web site, JBoss lead developer and founder Mark Fleury wrote: 'JBoss long ago informed Sun that we were interested in obtaining the J2EE certification suite so that we could apply Sun's certification mark to the JBoss software. Sun quoted a price for that certification suite that is beyond the current financial resources of the JBoss team. As a result, we have chosen not to 'certify' our software. Nevertheless, JBoss fully complies with Sun's published standards.'

JBoss.org claims a community of 1,000 international developers, and that its Web site 'averages approximately 50,000 downloads of its application a month as reported by Sourceforge.com.'

JBoss Group LLC, a commercial company in Atlanta, provides support, training and consulting services around the JBoss platform.

'JBoss is a great product; it is the most thorough implementation of JMX [Java Management Extensions] out there,' said Illuminata's Governor. But while it offers high-end functionality, he added, 'if I'm rolling out an enterprise-class application, I want support. The community will look after itself, but when you want to have a throat to choke, who will you call?'

Experience counts
Whom you call and how much experience they have in developing and supporting the product is more critical than if a solution supports EJBs, hosts more complex apps, is J2EE certified, or even whether it is open or proprietary, said Yefim Natis, vice president and research director at Gartner Inc.

'Open-source application servers are invariably low end, they're not J2EE certified, and they're not backed by vendors with many years of experience with middleware. High-end environments are such that middleware and software infrastructure cannot be tested in a lab,' said Natis. 'A product must be in production and used for some time so the vendor gets feedback, goes through several loops and then the product begins to mature. Look at the leading vendors of high-end application servers, BEA and IBM, both with more than 10 years in the high-end application platform business; that's no accident,' he explained.

And while JBoss positions itself in the high-end space and, according to Natis, 'can host more complex applications -- it's definitely a better platform than Tomcat -- that's not all there is to high-end maturity.

'Open source gives you lower cost,' Natis continued, 'but at the high end, people don't care about that. The cost is not just in the acquisition, but in maintenance and long-term care.' Even at the low end, Natis recommends going with a lower-cost app server from an established vendor, such as BEA's WebLogic Express. 'It's not because it's open source, but for what open source is -- [solutions] offered by relatively inexperienced vendors,' he said.

Natis said there are two justifications for an open-source solution: 'low cost and access to source code. Access to source code is a mixed blessing,' he noted. 'If something goes wrong it's good to [be able to] look at that, but it will require greater technical skills in-house. And you're vulnerable to people changing source code.' There will be more commercial J2EE servers to come, he said.

The next generation
An open-source avenue can also help organizations attract talent, said Britt Johnston, CTO at Bedford, Mass.-based NuSphere, an open-source firm specializing in PHP and databases. 'Employees do like to work with this software, so finding programmers who'd like to work in these environments is not hard. Many kids out of universities often know the basics right out of the gate,' he said.

In the end, it may come down to balance: the use of both low- and high-end application servers, each where appropriate, as Gartner recommends. And perhaps the use of both open and commercial products, each where appropriate.

'A lot of open-source purists view the future as everything open source, and commercial products as evil. We think it's both,' said Solvepoint's Karaman. 'You will have enterprise software doing what it does well, and giving large companies someone to yell at and a place to get support. Then you have the open-source face, where you have a mix of more rapid development, cool tools and peer support.'

For more information, see the related article 'PHP prowls the edge .'