Use Ada for your web development

>> Website Resources
.. >> Library: TechXchange
.. .. >> TechXchange: Embedded software
.. .. .. >> Subject: Ada and SPARK

A web application is a client-server program that uses the web browser to run on the client side. Typical web applications include online webmail, online banking, online shopping, etc. The client side is responsible for interacting with the user and displaying the results obtained from the server. The server, on the other hand, is responsible for storing user data, maintaining data consistency, and updating it based on user interactions.

Security is often underestimated in web application development. This is a significant challenge because the web application must protect a user’s data from theft and corruption by malicious users. Such corruption and theft often occur within the server due to software and programming errors.

Top 25 CWE/SANS1 lists the most dangerous software errors. A permissive language such as JavaScript and Python is more vulnerable than a strongly typed language such as Java and Ada. Several CWEs are managed by the Ada language2 and will therefore be caught up in development. This makes an Ada-based server implementation safer and less vulnerable.

Ada Web App (AWA)3 is a framework for creating a web application in Ada 2012. The project was started in 2011 with the initial idea of ​​implementing several Java technologies in Ada that have proven effective in developing web applications. Indeed, Java EE, now Jakarta EE, defines a collection of standard APIs that allow a company to build a web application server. The AWA framework was presented at FOSDEM 2019 Ada devroom and AdaCore TechDays 2019.

The AWA framework provides several out-of-the-box and extensible modules that are common to many web applications. This includes login, authentication, users, permissions, comment management, tags, votes, documents and images. It provides a comprehensive blog, Q&A, and wiki module. Several web applications already use AWA as their technological core: the Ada France site (, the Jason project management application, the Atlas demonstrator, and the author’s personal blog (

An application server built with AWA consists of several Ada components and libraries that are packaged and interact together. First, it will use the Ada web server to serve HTTP requests (see picture). It will be able to connect to multiple databases including PostgreSQL, MySQL and the built-in SQLite database using the Ada Database Objects library. The framework handles web requests through the Java servlet technologies implemented in Ada by the Ada Server and Ada Server Faces libraries.

Starting a project from scratch is never easy. To solve this problem, the AWA framework comes with a tool that helps in setting up the project. The tool, Dynamo, is a command-line tool that provides several sub-commands to help with several development tasks. Once the project is set up, it is used to generate the Ada database mapping code and simplify several development tasks.

The AWA framework addresses the most important challenges facing a web developer.

Database access

A first server-side challenge is the interaction with the database. To help you with this task, the AWA framework uses object-relational mapping (ORM). The data tables contained in the databases are described using either a UML class diagram or an XML or YAML description file. From these descriptions, the Dynamo tool will generate the SQL schema of the database as well as the Ada packages allowing the application to easily access the contents of the data table.

The ORM will map each database table into a specific Ada tagged record. The Ada tagged record provides operations to find, insert, update, and delete elements from the mapped SQL table. By using such an Ada type, the application continues to benefit from Ada’s strong typing, and it doesn’t have to worry about SQL issues. Using ORM ensures that the application is not vulnerable to SQL injection.

Access control

When the server must process a request, it is necessary to check at different stages whether the user is authorized to perform the operation. It is the responsibility of the Ada Security library to perform this task.

First, the library provides an authentication framework that implements the OAuth 2 standard described in RFC 6749.4 After having authenticated a user, the Ada Security library makes it possible to check whether a user has permission to access a resource. The application defines the permissions that must be applied and associates a security policy manager for each of them. The security policy manager is responsible for checking whether or not permission is granted based on user credentials.

In different places of the application, it becomes possible to check one or the other authorization. The Ada Security library will authorize or deny access depending on the authenticated user and the security policy associated with the authorization.

Website presentation

Interacting with the client browser requires the server to validate the query parameters it receives, as well as generate HTML content for the browser. In this case, the AWA framework implements the standard Java Server Faces component-oriented user interface defined by the Java EE platform. Entirely implemented in Ada, the Ada Server Faces library benefits from the mechanisms defined in the Java JSR 344 standard.5 Java XML Facelet templates are used to describe the content of views to be rendered. These patterns also describe how to handle input parameters sent by the browser. They are checked and controlled by the Ada Server Faces library.

The link between the XML Facelet template and the Ada runtime is made via another Java standard: the Java Expression Language described by JSR 245.6 The Ada EL library implements the standard and makes the link between the XML presentation page and the Ada application variables.

Using Ada to manage query parameters and generate HTML content reduces end-application vulnerabilities. At each step, we benefit from Ada’s strong typing mechanisms.


The single page web application traditionally uses a Javascript framework that runs in the client browser. Frameworks like ReactJS, AngularJS, and Vue.js interact with the server using the REST API. Such an API has become so common that the OpenAPI initiative was created in 2015 by several companies, including SmartBear, Google, Microsoft, IBM, and From this initiative was born the OpenAPI specification,8 which allows to describe any REST API provided by a server.

By writing a description of the REST APIs of the server, it becomes possible to generate both client and server bindings. Indeed, the OpenAPI generator9 supports over 33 different programming languages ​​for client binding and 15 for server binding. Of course, Ada is supported for client and server binding. By using a generated Ada server binding, the task of writing the REST API is simplified.

When a client makes a REST request, it is first received by the Ada Web Server library which manages the HTTP protocol. It will then forward the request to the Ada Servlet library, which will process the request through the binding generated by OpenAPI.

Through this process, the Ada Security library is involved to verify the permissions associated with the REST operation. Finally, when the operation is authorized and the request parameters are validated, the OpenAPI binding will call the Ada operation to handle the request. Upon successful completion, the OpenAPI binding will format, in XML or JSON, the response returned to the client. At each of these levels, Ada strong typing reduces several vulnerabilities, including buffer overflows, which makes the REST API implementation more secure.


From database connection to client browser interaction, it is possible to benefit from the strength of the Ada programming language for web development. At each level, the use of Ada eliminates many software and programming errors by having the compiler check many of these errors. Ada is not reserved for software-critical embedded environments, and using a framework such as AWA ensures that security constraints are enforced in the final web application.

Stéphane Carrez is a senior software engineer at Twinlife.

The references

1. CVE/SANS Top 25 Most Dangerous Software Errors,

2. AdaCore Technologies for Cybersecurity, Roderick Chapman and Yannick Moy

3. Ada Web App,

4. RFC 6749, The OAuth 2.0 Authorization Framework

5. JSR 344, Java Server Faces

6. JSR 245, Java Server Pages, Chapter 2 Expression Language

7. OpenAPI Initiative,

8. OpenAPI Specification,

9. OpenAPI Generator

>> Website Resources
.. >> Library: TechXchange
.. .. >> TechXchange: Embedded software
.. .. .. >> Subject: Ada and SPARK

James S. Joseph