The OpenAjax Alliance has assembled a set of white papers as a guide to help Web developers and IT managers understand and evaluate Ajax, define a successful Ajax strategy, and become familiar the important role OpenAjax plays in the development of the Ajax market.
The white papers are:
Mashups represent a key technology component underlying "Web 2.0". Mashups allow easy integration of reusable Web components ("widgets"), data feeds (e.g., RSS or Atom), and Web services into a composite application. Mashups offer the potential for revolutionizing Web application development and provide the following benefit to companies:
Mashups fall into two categories:
This white paper focues on user-built mashups that are enabled by mashup assembly applications.
Often, the first step in creating a user-built mashup is discovering the various data sources and widgets that provide the information and visualization features that is required in the mashup. Data sources typically consist of data feeds (often RSS or Atom), already-built widgets, and other miscellaneous forms of data (e.g., company spreadsheets). Various tools exist (in the illustration below, a "Discovery and cataloging tool") to help the user search for appropriate data sources and widgets, transform the data sources (e.g., applying filters and joins to data feeds), and build a catalog of mashup components. For the purpose of this discussion, it is assumed that all data sources (including feeds) and visual components are available in the form of widgets within a "widget catalog".
Once the catalog contains the components needed by the mashup, the user runs a (perhaps different) mashup tool to assembly widgets onto the canvas, as shown below. Mashup tools often display a widget catalog from which the user drags widgets onto the canvas.
Often in a subsequent step, the widgets need to communicate with each other so that changes in one widget can trigger corresponding updates in other widgets. Sometimes the mashup tool is able to link widgets together automatically, but other times the mashup user needs to manually link widgets with each other.
When a mashup tool includes OpenAjax Hub inside, widgets are linked together via the Hub's publish/subscribe engine. Whenever a widget needs to notify other widgets of a change in state,
the widget publishes an event by calling one of the OpenAjax Hub's
publish() methods. Other widgets subscribe to the given event topic. When the event is published, the Hub notifies subscribers, who are able to perform appropriate update actions in response to the event.
Mashup tools that run in the browser typically have instant deployment, meaning that upon completing the build and linking process on the mashup canvas, the mashup is available for immediate use both by the user who created the mashup and by other users who can access the URL at which the mashup was saved. To run the mashup, users simply navigate to the URL at which the mashup is stored.
In the picture below, note that upon deployment any design-time user interface, such as the widget gallery, does not appear.
Also, observe that when the mashup executes, some of the widgets in the mashup communicate in the background with particular Web servers. This opens up the possibility of severe security vulnerabilities if the mashup does not have an appropriate mechanism for isolating widgets to prevent unauthorized information flow. For example, the company server in the picture may have granted read/write access to the data on the server to the mashup's Web page. This means if Widget-E or Widget-A were malicious, they could attempt to gather company confidential information or trigger malicious transactions. The Managed Hub feature in OpenAjax Hub addresses the security issues raised by mashups. The sections below describe how the Managed Hub feature provides a mechanism to isolate 3rd party widgets and includes a security manager mechanism such that the mashup container application can mediate the dispatching of messages that are passed among the widgets.
As mentioned previously, within this specification, the term "widget" refers to Web widgets, which represent a portable chunk of HTML/Ajax code that can be installed and executed within other HTML-based web pages. Widgets typically are placed within a rectangular area of the mashup canvas and present a user interface for viewing information and interacting with that information. Widgets often talk to a back-end web service in the background as they execute.
Two key challenges in the world of user-built mashups are interoperability and security.
The industry has seen a rapid rise in the availability of widgets, but these widgets are expressed in several different widgets formats, which hinders interoperability, and thus goes against the remixability promise. OpenAjax Alliance is working to help the industry move towards greater widget interoperability, particularly due to its OpenAjax Metadata Specification, which among other things defines an industry standard for Ajax-powered widgets.
The Managed Hub features in OpenAjax Hub places a primary focus on the security challenges inherent with mashups. The full potential of mashups occurs when arbitrary users, without approval from a centralized authority such as a company's IT department, can import arbitrary widgets into their own mashup. However, the security techniques used in today's popular Web browsers did not anticipate the unique requirements of mashups, where 3rd party widgets co-exist with each other within the same Web page. A naively constructed mashup could very well allow malicious widgets to send the user's personal information to a malicious server, send company-private information to a malicious server, or trigger sensitive web transactions (e.g., an eCommerce transaction) using user credentials stored within cookies.
A key thrust for the Managed Hub is to prevent such attacks from malicious widgets. The Managed Hub feature extends the (typically intra-frame) publish/subscribe features found in the Unmanaged Hub by adding the ability to set up a managed hub (typically inter-frame) that allows incorporation of untrusted widgets from third parties. Untrusted widgets are isolated from the rest of the mashup (often using Iframes) such that all information exchange to and from each untrusted widget occurs over a secure, mediated message bus.
Mashup assembly applications typically use the OpenAjax Hub for the following features:
The following illustration shows typical usage of the Managed Hub. The key difference within a mashup assembly application is that the components will consist of widgets, typically using an industry standard widget format.
In practice, mashup assembly application typically will add higher-level logic on top of the OpenAjax Hub in order to provide a mashup assembly solution to the end user. Among the common things that might be added to the Hub:
srcattribute on the
<iframe>element that will contain the widget. This URL will typically have a different sub-domain than the mashup assembly application or any of the other widgets (see "Security concerns" below).
To deliver a secure environment to end-users and their organizations, mashup assembly applications that use OpenAjax Hub must pay close attention to security concerns. Each implementation of the OpenAjax Hub should implement various security techniques to guard against malicious attacks and include clear documentation of what a Manager Application must do in order to provide a secure mashup runtime. This section highlights various security concerns and describes some of the techniques used within OpenAjax Alliance's open source reference implementation of OpenAjax Hub 2.0 (the "reference implementation").
One fundamental issue facing mashup assembly application is classifying clients as either trusted or untrusted. This determination should be made by IT experts. When not absolutely sure about the trustworthiness of a particular client, then that client should be classified as untrusted. When using the reference implementation, trusted clients that are suitable for inclusion inline within the main mashup application are candidates for the InlineContainer, which has performance advantages over the IframeContainer. All other clients should use the IframeContainer so that they are isolated into a secure sandbox.
Mashup assembly applications need to provide a security manager component that includes a policy manager to control message flow among the clients. The policy manager APIs in Hub 2.0 are fine-grained and provide the manager application with the ability to allow or deny each separate client subscription request and, for each published message, whether to allow or deny transmission of that message to a particular client. In the reference implementation, the security manager is fully configurable. It is critical that the mashup assembly application establish and implement a carefully crafted conservative security manager that defaults to deny all requests from untrusted clients, and only allows requests from untrusted clients for selected actions that are known to be appropriate for that client. One simple technique for establishing a security manager is to default to deny all, but then allow requests between particular message publishers and message subscribers on particular (usually non-wildcard) topics, based on explicit end-user actions when running the mashup application's GUI, such as drag-and-drop gestures that link a particular client publisher with a particular client subscriber on a single message topic.
One common requirement with implementations of the OpenAjax Hub is for the server to provide a large set of sub-domains. In the reference implementation, the IframeContainer isolation feature within the Managed Hub takes advantage of the same-domain security features found in modern Web browsers. Each separate client must be in a different domain or sub-domain to achieve successful isolation.
Therefore, it is often a requirement that the mashup assembly application's server provide a pool of sub-domains (e.g., a001.mydomain.com, a002.mydomain.com, etc.) and that the mashup assembly application ensure that each different client that uses the IframeContainer have its Iframe URL (i.e., the src attribute on the
<iframe> element) within a different sub-domain than the mashup assembly application and any of the other clients.
Mashup assembly applications also need to manage the life cycle of clients, particularly loading and unloading actions, to guard against frame phishing attacks. The open source reference implementation of Hub 2.0 passes a unique randomly-generated manager security token at load time to each client and has a short timeout period within which the client must respond. The reference implementation includes other safeguards, such as raising errors if the client application unloads unexpectly and requiring that each message from clients include the manager security token.
Mashup assembly applications should establish safe, private communications channels that prevent malicious clients from monitoring communications with other clients in the mashup and prevent malicious components from generating forged messages that can be sent to other clients. The alliance's reference implementation takes advantage of HTML5 postMessage in recent browsers and fragment-identifier messaging (FIM) techniques on older browsers, where each of the methods is used in a manner such that only the manager application and a single client can read and write on their private communications channel.
The alliance's reference implementation makes use of two encypted unique randomly-generated security tokens, one on the manager side and one on the client side. This technique helps the manager application ensure that it is receiving a message from the same client that it previously loaded and helps the clients ensure that they are interacting with the manager application and not a malicious software component.
The members of OpenAjax Alliance have developed an open source reference implementation of OpenAjax Hub that supports OpenAjax Widgets (as defined in the OpenAjax Metadata Specification) and can be adapted to support proprietary widgets via message bridging technologies. Key URLs: