Secure Component Model

By Darryl K. Taft  |  Posted 2008-03-17 Print this article Print


According to an abstract of IBM's researchers' paper on SMash, the existing browser security model was not designed for supporting mashups. The paper presents "a secure component model, where components are provided by different trust domains, and can interact using a communication abstraction that allows ease of specification of security policy," IBM researchers said. "We have developed an implementation of this model that works for all major current browsers, and addresses challenges of communication integrity and component phishing."

Smith said the more IBM looked at mashups, the more requests for security from line-of-business users came in, with those requests primarily focusing on widget interoperabilitiy and security. "So we looked at it from the client side-of how to handle security without hampering the line-of-business user," Smith said.

In addition, IBM's researchers said they have tested Smash on Internet Explorer, Firefox and Opera3. "To the best of our knowledge, this is the first approach that works without browser modifications," the researchers said. "There are multiple proposals for HTML and browser modifications to realize secure mashups, however the long timeline of adoption by standards committees, browser vendors, and eventually by users, makes these unviable for anyone wanting to build secure mashups in the near term."

Smith said that to give consumer and business users the opportunity to take advantage of mashup technology, IBM contributed the SMash technology to the OpenAjax Alliance, which is an organization of vendors, open-source projects and companies using AJAX (Asynchronous JavaScript and XML). IBM is a founding member of the alliance.

"The requirement from customers was, 'Don't give me four different security models here; give me one that all companies agree on,'" Smith said.

Darryl K. Taft covers the development tools and developer-related issues beat from his office in Baltimore. He has more than 10 years of experience in the business and is always looking for the next scoop. Taft is a member of the Association for Computing Machinery (ACM) and was named 'one of the most active middleware reporters in the world' by The Middleware Co. He also has his own card in the 'Who's Who in Enterprise Java' deck.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel