The OpenAjax Alliance announced the approval and availability of OpenAjax Hub 2.0 as an industry standard for more secure Web 2.0 mashup applications. Advances in security in Hub 2.0 can help protect enterprise mashups from malicious intent, giving IT staff greater confidence in adding these features to their Web sites.
“OpenAjax Hub 2.0 is a major step forward for the OpenAjax Alliance towards its mission of promoting Ajax interoperability,” says David Boloker, OpenAjax Alliance Steering Committee chairman and CTO for Emerging Internet Technology, IBM. “In order to realize the potential for mashups across the industry, there needs to be standards. Hub 2.0 defines a key industry standard for how widgets can be isolated into secure containers and then how widgets can talk to each other through a mediated messaging bus.”
Hub 2.0 isolates third-party widgets into secure sandboxes and mediates messaging among the widgets with a security manager. For example, suppose a Web site includes a third-party calendar widget. That widget itself might be malicious or might become malicious if its code has vulnerabilities that allow a site to hijack the widget. Malicious widgets could transmit hijacked data to a scamming web site or piggyback user credentials to read and write from company servers.
Hub 2.0 prevents attacks by isolating untrusted widgets from the main application and other widgets, and by preventing access to user credentials. It protects against widget hijacking due to its features around careful widget loading and unloading and message integrity.
Hub 2.0 consists of two main parts, a specification and an open source implementation.