Search This Blog

Friday, March 14, 2008

IBM Moves on Secure Mashups: SMash Contributed to OpenAjax Alliance

IBM is unveiling technology to secure mashups and is donating it to
the OpenAjax Alliance, an organization promoting AJAX (Asynchronous
JavaScript and XML) interoperability. Mashups are defined by IBM as
Web applications that pull information from multiple sources such as
Web sites, enterprise databases, and e-mail to present a single view.
But mashups have been beset by security risks. Through IBM's SMash
(secure mashup) technology, information from different sources can
communicate with each other, but the sources are kept separate to
prevent the spread of malicious code. SMash keeps code and data from
each of the sources separated while allowing controlled sharing of
data through a secure communication channel. The technology is being
donated to the OpenAjax Alliance and is to become part of OpenAjax
Hub 1.1, which goes to general release in June, according to David
Boloker, CTO of emerging Internet technologies in the IBM software
group. Once available, SMash can be used in Web pages in mashups.
Jeffrey Hammond, senior analyst for application development at
Forrester Research: "This client-side cross-domain access pattern is
becoming increasingly popular when developers want to mix in
technology from multiple sites, but don't feel comfortable importing
that code into their server domains. Building on top of OpenAjax Hub
is a strength of SMash." The 'smash provider' is described in the
"OpenAjax Hub 1.1 Specification Managed Hub Overview" based upon an
IBM research paper (to be published in the WWW2008 Proceedings):
"The smash provider allows for secure inclusion of untrusted widgets
within a mashup. (1) Widgets are placed into IFRAMEs that have a
different subdomain than the mashup container application and the
other widgets. This technique leverages the same-domain policy that
is implemented in today's popular browsers whereby the browser disallows
JavaScript or DOM bridging between different-domain IFRAMEs. (2)
Inter-widget communication happens through a particular mechanism
(the window.location fragment identifier, aka "IFrame Proxy" technique)
that can be shared among the IFRAMEs. Note that the SMash techniques
sets up the IFRAMEs such that all communication via IFrame proxies is
mediated by the mashup container application, which prevents widgets
from listening in on the SMash communication channel..."

1 comment:

Anonymous said...

i without a doubt adore your own posting type, very helpful.
don't give up and keep penning simply because it simply just well worth to look through it,
looking forward to read a lot more of your own posts, thankx!