AJAX widget security enabled

In an upgrade to one of its core technologies, the OpenAjax Alliance, an industry group formed to boost interoperability in the AJAX space, on Monday is offering OpenAjax Hub 2.0, featuring capabilities for secure interaction between JavaScript widgets.

The Hub 2.0 specification defines standardized JavaScript APIs for secure mashups and offers cross-vendor interoperability among mashup tools and components. It isolates third-party widgets in secure sandboxes and mediates messages between widgets using a security manager.

[ See also: InfoWorld's 2006 survey of open source toolkits. ]

"You want to make sure that the widgets themselves are secure and you want the ability, for example, to be able to turn off one widget from communicating with all the other widgets if it misbehaves," said David Boloker, chairman of the alliance's steering committee and chief technical officer in the emerging Internet technology group at IBM.

A Web site, for example, could house a third-party calendar widget that might be malicious or have vulnerabilities to site hijacking. Hub 2.0 prevents attacks by isolating untrusted widgets from the main application and other widgets. User credentials access is prevented.

Hub 2.0 provides developers with needed assistance in addressing security concerns in JavaScript, said Jeffrey Hammond, principal analyst at Forrester. Developers also need assistance with integration of JavaScript frameworks, which the hub technology addresses, he said.

"The need for integration is still a pressing one in that particular space," he said.

The alliance is making available an open source JavaScript library that can implement version 2.0 on a Web page. It is accessible on SourceForge.net. Version 1.0 of the hub, introduced in January 2008, allowed widgets from different AJAX toolkits to communicate with each other.

The alliance previously said OpenAjax Hub 1.1 would feature security capabilities for widgets. OpenAjax Alliance decided to instead call the release 2.0 to better reflect the magnitude of changes.

IBM plans to implement version 2.0 in its IBM Mashup Center 2.0 tool for building mashups, which is currently in a beta release stage. General availability is planned for later this year.

Companies besides IBM that are supporting Hub 2.0 include vendors such as Microsoft and mashup software vendor JackBe.

"The OpenAjax Hub 2.0 is a unique opportunity for the industry to provide a trusted solution to the very real problem of secure mashups, bridging applications as well as libraries such as the Microsoft Ajax Library or jQuery without a constraint on their design," said Bertrand Le Roy, senior program manager at Microsoft, in a statement released by the alliance.

"At JackBe we are incorporating this technology into Presto, JackBe's enterprise mashup platform, to enhance our offering and provide even greater security support for our enterprise customers," said Deepak Alure, JackBe vice president of engineering and product management, also in a statement.

Hub 2.0 also features a test suite and customization capabilities. An open source mashup assembly application has been developed by the alliance to show how to build a browser-based mashup application that uses Hub 2.0 and OpenAjax Widgets.