Moreover, if you're actually working with competent people, they should have no trouble learning Haskell. Chances are, everybody already is, and would be happy at a chance to use it at work.

All the FUD spread around about Haskell is unfortunate. It's a brilliant, practical and extremely productive language, and people are turned away from it for misinformed and poorly considered reasons.

Not necessarily, Haskell's unofficial motto is after all, "Avoid success at all costs". ;)

http://www.codersatwork.com/simon-peyton-jones.html

I don't consider any of these to be Rails-killers, for comparative lack of the combination of lots of web-oriented libraries/plugins and ease of configuration, Rails' biggest draw.

But OP asked for frameworks designed for security, ostensibly to suite the needs of his upcoming project. GWT and the others could be options for that project, depending on requirements. Only OP knows, but worth suggesting.

>And after all is said and done, if you had wanted to develop the site in Java, you could have just used J2EE.

Yup, as I mentioned.

>You'll never find another developer who wants to maintain your Haskell code.

That's an absolute with which I absolutely I beg to differ.

>I would also add Revel, for Golang, to that list.

Looks interesting, but not mature enough yet to include it in this answer. And when they say 'modeled on the Play framework', that's a yellow flag to me, given that Play wasn't designed from scratch for strong security. Originally Play was easily vulnerable to basic attacks like XSS and later patched - eg, not designed around security from scratch. They seemed to want to build a better Rails on the JVM, but they seem to have also adopted the Rails community's preference for 'cool, quick, easy, and magic with security bolted on later', and just added 'fast'. Hopefully the Revel guys do better.

First, I do want to thank for pointing those frameworks out. I Knew about all the Haskell ones as well as Lift, but OPA I had no idea. Currently looking at it now. Not a fan of JS, but I'm open minded enough to take a loot at.

I quite like Haskell, but I feel the Haskell frameworks aren't there. They may be secure, but the way we have to develop around them makes me cringe (snap for example, and how to get parameters from actions, or yesod with the template haskell everywhere). Also, not sure how battle tested they are. Looking at Haskell wiki, each project has about 10 sites to each framework, and none high profile enough.

I love my unix shell, but I'm really considering .net for this (I think c# is quite a decent language, and f# allows me to have functional programming in there.) Microsoft is trusted by the enterprise (Even if there are issues, managers are more willingly to allow .net patches than framework of the day patches.)

I'll look at lift/scala/play now, see if they allow me an ease to develop that I like, combined with JVM security (whatever that is, but more likely a manager will know about JAva than Ruby/Python)

Crap, Opa used to be an Ocaml framework that you programmed with an Ocaml-derived DSL and that generated client side JS and a single native binary that contained both the app server, web server, and database. It reminded me of Facebook's single binary blob architecture.

But looks like it's been changed since I last looked at it, now you program it with a JS-derived DSL and it generates client-side JS and server-side Node.js. It can still compile to server-side native code, but not by default, you have to compile it from source to get that:

http://forum.opalang.org/0_235

At a cursory glance it appears the MLState guys are still using their Ocaml-based compiler to generate both the client and server side JS/MongoDB, and I assume still have the same focus on framework security, but not certain.

Personally, the only one of those frameworks I would use for high-security production is Lift, though I'm really looking forward to the Haskell frameworks getting there as well. Lift is the only one that meets my personal requirements for maturity and designed-for-security, but figured I'd list the others just in case.

Lift also does things differently, in a way that I personally appreciate but not all do - namely that html 'pages' are parsed as typed XML DOM objects rather than dumb text files/strings, and Ajax/Comet are DOM transforms rather than string rewriting. Instead of writing controllers, you write 'snippets' in Lift's DSL that bind to a DOM element and transform it, and that can be wired to other snippets, parallel processed, and lazy-loaded. All very cool, like a server-side single page application.

As for .NET, I haven't used or even paid much attention to the MS stack since 2009 so am not qualified to say anything about it, but it's definitely a safe choice. Nobody ever got fired for buying MS, they put billions into securing it, and there are tons of experts on it.

As for J2EE, it's solid, but Java's security reputation may have been tarnished by the latest web-client exploits.

As for .NET... do you really want to share your profits with Microsoft? I do agree that Microsoft's security has improved lately though.

The other thing about both .NET and J2EE is that they don't strike me as terribly productive languages for programmers. This may ignite a flamewar, but I don't think anything can claim to replace rails unless it also replicates the productivity of rails. You may find that hard to do if you use a pointy-hair-approved solution.

True, but as a first impression it's not positive, for me at least. I don't have the bandwidth to evaluate more deeply, so unfortunately signaling like this carries more weight than it probably should.

>As for J2EE, it's solid, but Java's security reputation may have been tarnished by the latest web-client exploits.

Not to those of us only interested in server-side Java. The recent vulnerability not only does not affect server-side Java, it also does not even affect client-side standalone Java apps. Just Java applets running in the browser. Those of us paying attention know that and aren't overly concerned by it.

>The other thing about both .NET and J2EE is that they don't strike me as terribly productive languages for programmers. This may ignite a flamewar, but I don't think anything can claim to replace rails unless it also replicates the productivity of rails. You may find that hard to do if you use a pointy-hair-approved solution.

One of the biggest cognitive mistakes people make that leads to misjudgments is not thinking in terms of expected value. For example, Rails may be more productive than J2EE up front, but if you lose significant developer time or worse, money, to breeches and exploits, then its total productivity could end up worse than J2EE.

I'm only saying this hypothetically b/c I don't have any data on that, but I see this sentiment over and over, that Rails is the most productive framework out there. But the question to ask is what is the real expected value of Rails productivity vs other frameworks.

Having said that, I personally hate Java and J2EE, love the JVM, and use Scala whenever possible now for that reason. Lift really hits the sweet spot of productivity, strong security, and maturity.