The OpenAjax Alliance has assembled a set of white papers as a guide to help Web developers and IT managers understand and evaluate Ajax, define a successful Ajax strategy, and become familiar the important role OpenAjax plays in the development of the Ajax market.
The white papers are:
Whereas "Web 1.0" is about connecting people to network services, "Web 2.0" is about connecting people with people and extracting value from the community. With Web 2.0, the Web has expanded from dozens of markets with millions of people to also include millions of markets with dozens of people.
There are various technologies that help bring about Web 2.0: blogs, wikis, syndication feeds (RSS and Atom), lightweight Web services (often REST-based with JSON payloads), rich user experiences using Ajax techniques, and mashups. This white paper focuses on the last of these: mashups. In particular:
Within this white paper, the term "mashup" indicates a Web application using Open Web technologies (i.e., HTML/Ajax) that combines data from more than one source into a composite application. The classic mashup example has one part of the screen showing a mapping component (e.g., Google Maps) and another part of the screen showing a table of location-based data retrieved from a data feed (e.g., Craigslist), thereby creating a new and distinct web application that "remixes" and connects two independent web services in ways that were not originally provided by either source. Widgets and feeds (described below), along with simple web services, are the most popular building blocks for mashups.
Mashups represent a technique for Web application development that leverages the industry's move towards SOA (service-oriented architecture), where server-side data is exposed as web services via APIs that can be invoked from client browsers (e.g., via XMLHttpRequest). Mashups allow easy remixing of data exposed via SOA and thereby represent a technique that allows rapid application assembly by non-programmers. This broadens the base of people who can build applications, reduces development time, and unleashes the innovation of end users to remix information sources so that they can gain insights and improve productivity.
A key industry phenomenon is the rapid rise of "web widgets" (aka, "widgets" or "gadgets"), which represent a portable chunk of client-side code that can be installed and executed within other HTML-based web pages. Within this white paper, the term "widget" will be used as a shorthand for "web widget".
Mashups fall into two categories:
For Web developers, mashup techniques allow for greater efficiencies. Mashup techniques, particularly the discovery and use of packaged widgets, feeds, and Web services, allow Web developers to create compelling Web applications in minimal time.
However, the full promise of mashups comes when end users are able to build their own custom applications via component assembly - without having to submit application development requests to their IT department.
A new generation of mashup assembly tools has emerged in the marketplace. These tools, typically browser-based, allow end users to discover widgets and feeds, and then assemble the widgets and feeds onto the browser-based canvas to create a custom application without programming. This process can be thought of as self-service application development, where the user can address some of his software needs without having to submit requests to his IT department or purchasing single-purpose software products. User-built mashups offer the following benefits to companies:
The full promise of mashups comes when end users are able to discover and integrate many of the great widgets (and associated data services) that exist on the public Internet with company's proprietary widgets and data services.
However, many IT departments have held off on mashup adoption due to security fears. IT managers recognize the potential security vulnerabilities from allowing their users to mix proprietary widgets with public widgets within the same Web application. Due to how browsers work, a poorly architected mashup environment might allow malicious widgets to gain access to data held in other widgets or, even more dangerous, to push and pull server data (e.g., by piggybacking session logins).
The following sequence of illustrations highlight potential security vulnerabilities with mashups. The first illustration below shows a mashup consisting of three widgets, all of which are trustworthy. Widget A is a company widget that communicates in the background with a company server. Widgets B and C are trustworthy public widgets that each exchange information with a public Web server.
Now assume that an end user has unknowingly created a mashup that appears to include trustworthy widgets, but in fact includes a malicious widget. If the mashup environment is not carefully programmed, the malicious widget will be able to push and pull data from the other widgets and other servers (as shown below by the brown arrows).
The illustration below depicts the basic security features from Hub 2.0. Hub 2.0 isolates each widget into its own secure sandbox (depicted below by the brown container surrounding each widget) and only allows widgets to communicate with each other through Hub's messaging bus. Note that the malicious widget can only communicate with Hub 2.0 and cannot communicate directly with the other widgets or their servers. The security manager within Hub 2.0 provides the mechanism to prevent the malicious widget from passing messages directly or indirectly to other widgets.
OpenAjax Hub 2.0 was developed by the members of OpenAjax Alliance in order to develop an interoperable industry solution for secure mashups.
OpenAjax Hub 2.0 consists of the following components:
OpenAjax Hub 2.0 works with multiple widget technologies. OpenAjax Hub 2.0 can provide a Enterprise-ready widget isolation and secure messaging engine that can be integrated with OpenAjax Widgets (part of the OpenAjax Metadata Specification), OpenSocial Gadgets, and other industry widget technologies.
OpenAjax Alliance is an organization of vendors, open source projects and companies using Ajax that are dedicated to the successful adoption of open and interoperable Ajax-based Web technologies. OpenAjax members include more than 100 organizations, including many of the industry's largest software companies, working towards the mutual goal of accelerating customer success with Ajax. The prime objective of the group is to accelerate customer success with Ajax by promoting a customer's ability to mix and match solutions from Ajax technology providers and to help drive the future of the Ajax ecosystem.