The OpenAjax Alliance, a group of companies, open-source projects and organizations dedicated to delivering interoperable AJAX technologies, announced on July 27 the "approval and availability of OpenAjax Hub 2.0 as an industry standard for more secure Web 2.0 mashup applications," the Alliance said in a news release.
Bertrand Le Roy, senior program manager at Microsoft, was quoted as saying, "The OpenAjax Hub 2.0 is a unique opportunity for the industry to provide a trusted solution to the very real problem of secure mashups, bridging applications as well as libraries such as the Microsoft Ajax Library or jQuery without a constraint on their design."
The Hub 2.0 technology "isolates third-party widgets into secure sandboxes and mediates messaging among the widgets with a security manager. For example, suppose a Website includes a third-party calendar widget. That widget itself might be malicious or might become malicious if its code has vulnerabilities that allow a site to hijack the widget. Malicious widgets could transmit hijacked data to a scamming Website or piggyback user credentials to read and write from company servers," the OpenAjax Alliance said in its statement.
However, it said, "Hub 2.0 prevents attacks by isolating untrusted widgets from the main application and other widgets, and by preventing access to user credentials. It protects against widget hijacking due to its features around careful widget loading and unloading and message integrity." According to the statement:
""OpenAjax Hub 2.0 is a significant technology advancement for enterprise mashups," said Mikael Orn, director of development for IBM Mashup Center. "Hub 2.0 allows companies to realize both mashup security and flexibility. With OpenAjax Hub 2.0, users or administrators can isolate untrusted third-party widgets into secure sandboxes, preventing information stealing and other malicious acts. The net result is that mashup users can combine company-internal widgets with third-party widgets without compromising security.""
"JackBe is excited to see the OpenAjax Hub 2.0 mature into a robust specification and standard that provides an additional approach to [addressing' the security challenges of mashups in the browser," said Deepak Alur, vice president of engineering and product management at JackBe. "At JackBe we are incorporating this technology into Presto, JackBe's enterprise mashup platform, to enhance our offering and provide even greater security support for our enterprise customers."
Steve Repetti, CEO and CTO at RadWeb Technologies, said, "The new OpenAjax Hub 2.0 provides a comprehensive enterprise-grade solution for secure widget interoperability. OpenAjax Hub 2.0 is the glue that binds distributed objects and applications together in a trusted environment."
And Howard Weingram, principal architect at TIBCO Software, called OpenAjax Hub 2.0 a "very important advance for the industry." He added, "For the first time implementers can securely combine standardized widgets and components from different sources, including those with very different trust profiles. TIBCO is shipping Hub 2.0-enabled products today and sees the Hub as a strategic technology."
According to the statement:
"OpenAjax Hub 2.0 was validated in late 2008 during a multi-vendor interoperability event, and then revised in early 2009 to allow straightforward integration with other industry mashup technologies, particularly OpenSocial technologies. It has now been finalized and approved for release."
The OpenAjax Alliance also said:
"The announcement is part of a broader set of initiatives at OpenAjax Alliance to accelerate customer success using Ajax. In addition to OpenAjax Hub, the alliance is working on a companion mashup initiative, OpenAjax Widgets, which defines an Ajax interoperability standard for Ajax widgets, and is scheduled for approval in the coming months."