OpenAjax Alliance is very pleased to see the progress by one of its industry partner organizations, the OMTP, with its BONDI initiative.

BONDI provides industry standard APIs to access mobile device services, such as geolocation, address book, email, SMS, camera and the phone dialer. BONDI also defines a security manager architecture and a standard policy XML file format. The primary goals with BONDI are threefold: (1) enable next-generation rich mobile applications by allowing the Web Runtime (i.e., Ajax) to access the same APIs that are available to compiled languages such as C and Java, (2) ensure that security and privacy concerns are addressed, (3) package the APIs in the form of an industry standard and promote adoption of the standard such that developers will not have to write separate content for different mobile platforms. The APIs defined by BONDI target both Web pages and mobile widgets, particularly widgets that conform to the emerging W3C Widgets standard.

OpenAjax Alliance salutes the efforts and accomplishments to date with the BONDI specs and open source, along with the W3C’s efforts with its Widgets spec. The combination of these two initiatives promise to transform the mobile industry.

In the past, OpenAjax Alliance has helped the BONDI initiative with OpenAjax early work (Spring 2008) on use cases and requirements and subsequent work on a Mobile Device API Style Guide.

Recently (Feb-Mar 2009), OpenAjax Alliance has assembled Ajax industry leaders to review the BONDI 1.0 Release Candidate specifications and collect feedback on the OpenAjax Alliance member wiki.

In Februrary 2009, OpenAjax Alliance launched a new task force, the Accessibility Task Force, whose mission is to promote better Ajax tooling for the creation of accessible Rich Internet Applications (RIAs).

In response to the growing adoption of Rich Internet Applications (RIAs), the industry has rallied together to produce new accessibility standards, such as the W3C WAI Accessible Rich Internet Application Specification - WAI-ARIA and the W3C Web Content Accessibility Guidelines 2 - WCAG2. Although accessibility tools providers are moving towards support for WCAG 2, compliance is not fully addressed or understood in a RIA environment. These disconnects have resulted in deficiencies in today’s accessibility test tools.

The workplan for the Accessibility Task Force is as follows:

• Develop a standard set of accessibility validation rules, geared toward meeting compliance to WCAG 2 using WAI-ARIA and WAI-ARIA Best Practices. These rules must be consumable by major accessibility test tools.
• Develop best practices for reporting accessibility compliance by accessibility test tools
• Develop IDE best practices to assist developers to produce Accessible RIAs

The Gadgets Task Force, working in partnership with the IDE Working Group, is near completion of a major redesign of the mashup-oriented widget features found in the OpenAjax Metadata Specification.

The widget redesign effort, which was approved at alliance’s face-to-face meeting in October 2008, reflects implementation experience gained during the 2008 InteropFest and careful review against other widget technologies in the industry, both proprietary widget formats and the approaches used by OpenSocial Gadgets. The redesign effort has resulted in confirmation of many of the existing features (e.g., the ‘jsClass’ and ’sandbox’ attributes), along with various changes:

• Elimination of the type attribute on the content element - Previously, the type attribute could be either fragment (a snippet of HTML) or page (a complete HTML page). However, implementation experience, along with insights gained from the Security Task Force efforts around mashup authentication and authorization, convinced the Gadgets TF to drop support of the page option in OpenAjax Metadata 1.0. For widget developers who can only provide the widget in the form of a complete HTML page, the alliance will provide a sample shim widget within its open source project that shows how to use a nested IFRAME to support widgets that are delivered as complete HTML pages.
• Replacement of the view attribute with a mode attribute on the content element - Previously, OpenAjax Widgets attempted to provide a view attribute that is compatible with OpenSocial Gadgets, but the alliance concluded that the feature it needed (i.e., custom UI for edit and help) was a whole different thing that OpenSocial’s views. As a result, the view attribute has been dropped and a new mode attribute has been added. (Note: a future version of OpenAjax Widgets might restore the view attribute.)
• Redesigned and simplified widget APIs - The new widget APIs rely on standardized callback function names on the widget prototype object. The Gadgets TF concluded that the naming convention approach will be simpler and easier for widget developers.

For a complete accounting of the changes, see the OpenAjax Mashable Widgets wiki page.

The OpenAjax Metadata Specification specification, including OpenAjax Widgets, is scheduled for completion in spring 2009.

The Interoperability Working Group has completed a major redesign of the Managed Hub feature within OpenAjax Hub 2.0. The redesign effort, which started at alliance’s face-to-face meeting in October 2008, reflects implementation experience gained during the 2008 InteropFest.

The biggest change is from a plugin-oriented approach to a class hierarchy approach. The new approach is both simpler and more easily extensible than the previous approach.

Here are some characteristics of the new Managed Hub APIs:

• Revised terminology - The new APIs are centered on two notions, Containers and HubClients. A Container is a manager-side object that wraps a particular client. Each container must supply a companion HubClient, which is a client-side object that wraps the client’s runtime logic. The Container’s manager side object communicates with its companion HubClient through private, container-specific protocols. There are two built-in Containers, the IframeContainer (for untrusted clients) and the InlineContainer (for trusted clients), which match up with the two built-in HubClients, the IframeHubClient and the InlineHubClient.
• Extensible class hierarchy approach - Instead of the previous notion of “plug-in providers”, the new APIs provide an extensible class hierarchy that allow for “Custom Containers”. A Custom Container must implement the base interfaces for Container and HubClient.
• Scoped callbacks - The new APIs provide the ability to set the scope (i.e., the value of the “this” variable) for all callback functions.
• Completeness - The new APIs reflect implementation experience regarding the various utility APIs that developers will need. The various object constructors provide a rich set of configuration parameters, and the APIs provide the various getter functions that an application developer will need at runtime.

At the beginning of 2009, the Security Task Force at OpenAjax Alliance launched a new initiative around Mashup Authentication and Authorization, with an emphasis on single sign-on workflows. The goal of this initiative is to perform a deep study of real-life use cases of technologies in use today, such as login/password dialogs, OpenID, SAML, and OAuth, and then develop a set of incremental technical standards (if necessary), best practices, and educational sample applications. The focus is on how these technologies relate to the Alliance’s key mashup technologies, OpenAjax Hub 2.0 and OpenAjax Widgets.

One of the complexities with today’s single sign-on technologies (OpenID, SAML and OAuth) is the use of URL redirection. In typical practice, these technologies requires that a Web page be redirected to/from the host application server and some other server(s) (e.g., an OpenID server). It is technically difficult to combine these redirection-oriented technology approaches with IFRAME isolation approaches to mashup security, such as what is used by OpenAjax Hub 2.0, particularly when attempting to achieve interoperable mashups and widgets (i.e., components that work across multiple different products from multiple vendors).

As of March 2009, the Security Task Force has sketched out sample workflows and has developed initial versions of sample applications that illustrate some techniques to addressing the combination of OpenAjax Hub 2.0 with single sign-on technologies. The sample applications will be finished in the spring of 2009 and will show how to use single sign-on techniques in conjunction with both OpenAjax Hub 2.0 and OpenAjax Widgets.

The Interoperability Working Group has officially changed the name of “OpenAjax Hub 1.1″ to “OpenAjax Hub 2.0″. (Here is the updated Hub 2.0 spec.)

OpenAjax Hub 2.0 extends the publish/subscribe engine from Hub 1.0 to provide a client-side framework for secure mashups.

Hub 2.0 introduces the notion of a “Managed Hub”, where the host application can isolate (sandbox) each individual mashup component. With a Managed Hub, all communications between components pass through the host application’s security manager, which allows or denies each publish or subscribe request. The Managed Hub allows for safe integration of untrusted 3rd party components.

One of the key use cases for Hub 2.0 is Enterprise mashups, where a Web page consists of an assembly of multiple self-contained Web components (aka “widgets” or “gadgets”), . Hub 2.0 is particularly well-suited for mashup assembly tools, which allow line-of-business users to visually assemble a mashup by dragging widgets from a widget palette and dropping them onto the mashup canvas.

OpenAjax Hub 2.0 is upwardly compatible with OpenAjax Hub 1.0; therefore, Hub 2.0 continues to offer the same small (<3K after compaction), toolkit-neutral, publish/subscribe engine as Hub 1.0. In Hub 2.0, this lightweight pub/sub engine is called the "Unmanaged Hub". The Unmanaged Hub is well-suited to programmer-built mashups where all components are known to be trustworthy.

The alliance provides both a complete Hub 2.0 specification for the APIs and functional behavior of OpenAjax Hub 2.0, along with an open source reference implementation. The alliance is pushing for completion of Hub 2.0 in early spring 2009.

In parallel with its work on Hub 2.0, the alliance is also near completion on its complementary technology, OpenAjax Metadata 1.0, which defines industry standard XML metadata for JavaScript APIs and Web widgets (”OpenAjax Widgets”). The combination of OpenAjax Hub 2.0 and OpenAjax Widgets provides a comprehensive technology suite for mashup interoperability and mashup security.

OpenAjax Alliance has posted a handful of validation tools so that people can validate OpenAjax Metadata files. We have:

• Validation Web Page - This Web page allows you to validate either a single OpenAjax Metadata file (an XML file) or a ZIP archive that contains multiple OpenAjax Metadata files inside. The Web page allows you to either upload an XML or ZIP file from your local file system for validation or enter the URL of an XML or ZIP file on the Web.
• Validation Web services - Two different utilities:
  • Validate a URL - This Web service is located at http://www.openajax.org/schema/OpenAjaxMetadata/1.0/validate_url.php. You can either pass the URL for an OpenAjax Metadata file or a ZIP archive via a URL parameter (using GET) or via a POST parameter.
  • Validate a stream of XML - This Web service is located at http://www.openajax.org/schema/OpenAjaxMetadata/1.0/validate_data.php. This service validates the raw body contents of an HTTP POST request (i.e., the body of the POST request consists of an OpenAjax Metadata file).

This is all documented at http://www.openajax.org/schema/OpenAjaxMetadata/1.0/index.html. All of the source code for the validation utilities can be found in the ’schema’ section of the OpenAjax open source project.

Note that OpenAjax Metadata 1.0 hasn’t been finalized yet, so the language schema is still subject to (probably minor) changes.

The members of OpenAjax Alliance held a face-to-face meeting on Thursday October 23 in San Jose, hosted by Microsoft. It was a packed day that covered several key issues. This article summarizes what happened. Complete minutes can be found at:

• Complete minutes

The two main slide decks used at the meeting have been posted at:

• Face-to-face primary slide deck
• Single sign-on slide deck

Recent accomplishments

Jon Ferraiolo summarized accomplishments since the last face-to-face meeting (March 2008):

• Near completion of the OpenAjax Hub 1.1 and OpenAjax Metadata specs (for JavaScript APIs and widgets)
• Open source implementation of Hub 1.1 and the widget features found in OpenAjax Metadata
• Open source implementation of a sample mashup editor that uses Hub 1.1 and Metadata, and also adapter logic for Google Gadgets and an OpenSearch-compatible widget repository
• Open source software to convert JSDoc annotations within JavaScript files into OpenAjax Metadata
• Open source software to generate OpenAjax Metadata for the YUI toolkit
• Open source schema for OpenAjax Metadata and open source validator
• Completion of a major industry interoperability event, the 2008 InteropFest, where multiple industry leaders showcased their support for OpenAjax Hub 1.1 and/or OpenAjax Metadata. On the IDE side, participants included Adobe Dreamweaver, Aptana, Eclipse (JSDT) and IBM Rational Application Developer. On the mashup side, participants included the OpenAjax Alliance’s own open source project, Dojo Foundation, Google, IBM Opus Una (multi-user, interactive mashups), ILOG, Nexaweb, Programmable Web, SAP and TIBCO. (press release, Application Development Trends, , eWeek, , Infoworld, , Trading Partners)
• Two white papers: Introduction to Mobile Ajax for Developers, Good News for Ajax - The Browser Wars Are Back
• Mobile Device APIs initiative (use cases, requirements, security considertations, style guide) and successful transfer of our early work to the OMTP BONDI project
• Browser wishlist initiative, which proved to be a big success
• Speaking engagements at countless conferences
• Organization of the OpenAjax Pavillion event to happen at Mashup Camp on Nov 17.

Working Group Charters

The charters for the three chartered working groups all expire at the end of 2008. After discussion, the attendees decided to not renew the Marketing Working Group’s charter at this time and divide its responsibilities between the Steering Committee and the various technical working groups, where each technical working group’s charter must include marketing plans. The attendees decided that we should renew the IDE Working Group and Interoperability Working Group until Dec. 2009. The Interoperability Working Group would take over responsibility for the OpenAjax Conformance specification. We might charter other working groups around Gadgets and Mashups, Mobile and Security at the point which those task forces need to produce something official.

2008 InteropFest Show and Tell

For a couple of hours, we saw demonstrations from the following vendors: OpenAjax Alliance’s open source project, Adobe, ILOG, Lightstreamer and SAP.

OpenAjax Hub 1.1, OpenAjax Metadata and Mashable Widgets

We reviewed our list of open items, which we will work through over email and upcoming phone calls. Four key resolutions:

• Drive towards completion of OpenAjax Hub 1.1 and OpenAjax Metadata on a fast track, with weekly phone calls to discuss open issues, and shoot for early 2009 finalization and approval.
• Push the “mashable widgets” features found in OpenAjax Metadata into a separate supplemental specification so that the mashup features do not slow down completion of Hub 1.1 and Metadata.
• Work towards reconciling OpenAjax mashable widgets with Google Gadgets to achieve specfication alignment to be as close as possible, while living with the constraints that many of the widget features in OpenAjax Metadata will not be changed because they are already supported in commercial products (e.g., Adobe Dreamweaver and IBM Rational Developer).
• Soon before finalizing OpenAjax Hub 1.1, we will rename it to OpenAjax Hub 2.0. (We will hold off on the renaming because the brand “Hub 1.1″ is used quite a bit in industry, and we think changing the name at a later point will minimize confusion in the industry.)

OpenAjax Registry and OpenAjax Conformance

We will turn the OpenAjax Registry into a lightly monitored, self-service utility where both members and non-members can document what JavaScript globals, CSS classnames and HTML custom markup is used by various Ajax toolkits. The Registry and Conformance specs will have minor modifications and serve more as best practices documents rather than heavy-handed attempts to push the industry towards interoperability. The next step is to implement the self-service software for the Registry. These tasks are lower priority than completing Hub 1.1 and Metadata.

Browser wishlist

Microsoft said the browser wishlist has been very helpful to them. In subsequent discussion, the attendees decided that the alliance would refresh the browser wishlist sometime in 2009, with new round of feature requests and prioritized voting.

Mobile Ajax

We reviewed the Mobile Device APIs work that started at OpenAjax Alliance and that has now been largely transitioned to the OMTP BONDI project. We talked about the OpenAjax style guide that we pulled together in response to a request from OMTP. We talked about the upcoming event on Nov. 5 where industry leaders will talk about how to minimize fragmentation of mobile browsers in their support for Ajax.

Mashup single sign-on and mashup authorization

The Security Task Force is looking at starting an initiative around mashup security, focusing on single sign-on and mashup authorization, included delegated authorization. The initial ideas center around embracing OpenID and OAuth, but then defining appropriate profiles (i.e., subsets) and necessary extensions to achieve the desired security features in a cross-vendor interoperable manner.

OpenAjax Alliances announced some of the participants in the 2008 InteropFest within a press release that was picked up various industry publications, who wrote follow-on articles. Here are links to the press release and some early press coverage:

• Press release
• Application Development Trends
• eWeek
• Infoworld
• Trading Partners

The InteropFest targeted two main Ajax development scenarios:

• Ajax developer tools (IDE) - The key OpenAjax technology is OpenAjax Metadata, which defines an industry standard XML format for describing the JavaScript APIs and widgets in an Ajax library. This standard will allow developer tools to support a single format (i.e., OpenAjax Metadata) and automatically gain support for countless Ajax toolkit, which is a great improvement over the one-off tool-to-toolkit situation that exists in today’s world.
• Ajax mashups - OpenAjax Alliance provides two technologies for mashups. OpenAjax Hub 1.1 provides an open source secure mashup runtime that isolates 3rd party widgets into secure sandboxes (usually leveraging IFRAMEs), with a mediated message bus to control which messages go between which widgets. OpenAjax Metadata also defines a “mashable widget” standard that extends OpenAjax’s widget format to provide the extra metadata and APIs needed by mashup tools.

With today’s announcement, multiple vendors have implemented key parts of OpenAjax Metadata. Developer tools from Adobe, Aptana, Eclipse Foundation, and IBM’s Rational software division consume OpenAjax Metadata and various popular Ajax libraries and widgets have been made available in the OpenAjax formats.

Vendors participating in mashup-related interoperability include Google, IBM, Nexaweb, SAP and TIBCO. The members of OpenAjax Alliance have completed a reference implementation for both OpenAjax Hub 1.1 and OpenAjax Metadata.

One of the highlights of AJAXWorld today was when Adobe’s CTO, Kevin Lynch, began his keynote at AJAXWorld today by talking about how Dreamweaver CS4 was using the widget format from OpenAjax Metadata as the product’s native widget format, with demos of drag&drop of widgets from some popular toolkits onto the Dreamweaver canvas (e.g., I am pretty sure I saw Dojo and YUI widgets showing up in Dreamweaver, but the screen was a bit blurry).

We are happy about the great efforts from other organizations who have participated in the OpenAjax Hub 1.1 and Metadata interoperability efforts, which includes: Adobe, Aptana, the Dojo Foundation, the Eclipse Foundation, Google, IBM, ILOG, Lightstreamer, Nexaweb, ProgrammableWeb, SAP and TIBCO.

Congratulations to Aptana (Kevin Hakman), Dojo Foundation (Kris Zyp), Eclipse Foundation (Mike Milinkovich) and IBM (David Boloker), who have been elected for two-year terms on the OpenAjax Alliance Steering Committee. We look forward to their strong leadership and guidance. They join Microsoft (Bertrand Le Roy), Nexaweb (Coach Wei) and TIBCO (Howard Weingram) on the Steering Committee.