OpenAjax Alliance Delivers Software For More Secure Enterprise Mashups

OpenAjax Hub 2.0 approved as an industry standard for more secure Web 2.0 mashup applications

August 31, 2009

6 Min Read


SAN JOSE, Calif., Aug. 31 /PRNewswire/ -- The OpenAjax Alliance announced today the approval and availability of OpenAjax Hub 2.0 as an industry standard for more secure Web 2.0 mashup applications. Advances in security in Hub 2.0 can help protect enterprise mashups from malicious intent, giving IT staff greater confidence in adding these features to their Web sites.

OpenAjax Hub 2.0 was developed over the past two years at OpenAjax Alliance, an organization dedicated to the adoption of open and interoperable Ajax technologies. Ajax is Web development technology based on HTML and JavaScript that runs mashups, widgets and gadgets. Mashups allow business users to drag and drop "mashed up" components to create customized Web applications in minutes.

The major addition to Hub 2.0 is a JavaScript Library for Secure Enterprise Mashups created to better protect widgets and mashups from hackers and malicious intent. It addresses concerns among IT managers that may have inhibited adoption of mashup software within companies.

"OpenAjax Hub 2.0 is a major step forward for the OpenAjax Alliance towards its mission of promoting Ajax interoperability," says David Boloker, OpenAjax Alliance Steering Committee chairman and chief technology officer for Emerging Internet Technology, IBM. "In order to realize the potential for mashups across the industry, there needs to be standards. Hub 2.0 defines a key industry standard for how widgets can be isolated into secure containers and then how widgets can talk to each other through a mediated messaging bus."

Hub 2.0 isolates third-party widgets into secure sandboxes and mediates messaging among the widgets with a security manager. For example, suppose a Web site includes a third-party calendar widget. That widget itself might be malicious or might become malicious if its code has vulnerabilities that allow a site to hijack the widget. Malicious widgets could transmit hijacked data to a scamming web site or piggyback user credentials to read and write from company servers.

Hub 2.0 prevents attacks by isolating untrusted widgets from the main application and other widgets, and by preventing access to user credentials. It protects against widget hijacking due to its features around careful widget loading and unloading and message integrity.

This is what industry leaders are saying about Hub 2.0:


"OpenAjax Hub 2.0 is a significant technology advancement for enterprise mashups," said Mikael Orn, director of development for IBM Mashup Center. "Hub 2.0 allows companies to realize both mashup security and flexibility. With OpenAjax Hub 2.0, users or administrators can isolate untrusted third-party widgets into secure sandboxes, preventing information stealing and other malicious acts. The net result is that mashup users can combine company-internal widgets with third-party widgets without compromising security."


"JackBe is excited to see the OpenAjax Hub 2.0 mature into a robust specification and standard that provides an additional approach to address the security challenges of mashups in the browser," said Deepak Alur, co-author of 'Core J2EE Patterns' and VP Engineering and Product Management at JackBe. "At JackBe we are incorporating this technology into Presto, JackBe's enterprise mashup platform, to enhance our offering and provide even greater security support for our enterprise customers."


"The OpenAjax Hub 2.0 is a unique opportunity for the industry to provide a trusted solution to the very real problem of secure mashups, bridging applications as well as libraries such as the Microsoft Ajax Library or jQuery without a constraint on their design," said Bertrand Le Roy, Senior Program Manager at Microsoft.


"ProgrammableWeb is the leading resource and community site for mashup developers and Web 2.0 development," said John Musser, founder of "We congratulate OpenAjax Alliance on completing OpenAjax Hub 2.0, whose security engine allows developers to build mashups using third-party visual components, even components that might include JavaScript logic and whose trustworthiness is not fully known."

RadWeb Technologies

"The new OpenAjax Hub 2.0 provides a comprehensive enterprise-grade solution for secure widget interoperability," said Steve Repetti, CEO/CTO, RadWeb Technologies. "OpenAjax Hub 2.0 is the glue that binds distributed objects and applications together in a trusted environment."

Software AG

"Eliminating security challenges while delivering a rich and intuitive user experience will take enterprise mashups to the next level," said Dr. Peter Kurpick, Chief Product Officer of Software AG and the webMethods business line. "Standards-based interoperability in the composite applications space is absolutely critical and a requirement that we hear from our customers over and over again. Recognizing this need, Software AG is a proud supporter of the OpenAjax Alliance's efforts to improve the interoperability of AJAX-based technologies."


"OpenAjax Hub 2.0 is a very important advance for the industry," said Howard Weingram, Principal Architect, TIBCO Software Inc. "For the first time implementers can securely combine standardized widgets and components from different sources, including those with very different trust profiles. TIBCO is shipping Hub 2.0-enabled products today and sees the Hub as a strategic technology. We are proud to have contributed to the Hub 2.0 release and look forward to future work in this area."

An Overview of OpenAjax Hub 2.0

Hub 2.0 consists of two main parts, a specification and an open source implementation.

-- The Hub 2.0 Specification has been recently approved by the members of OpenAjax Alliance as an Ajax industry standard. The specification defines standardized JavaScript APIs for secure mashups and will result in cross-vendor interoperability among mashup tools and mashup components.

-- The alliance has also developed an open source implementation of the Hub 2.0 specification. The open source implementation is written in browser JavaScript and is compatible with all popular desktop browsers.

This announcement is part of a broader set of initiatives at OpenAjax Alliance to accelerate customer success using Ajax. In addition to OpenAjax Hub, the alliance is working on a companion mashup initiative, OpenAjax Widgets, which defines an Ajax interoperability standard for Ajax widgets, and is scheduled for approval in the coming months.

OpenAjax Hub 2.0 was validated in late 2008 during a multi-vendor interoperability event, and then revised in early 2009 to allow straightforward integration with other industry mashup technologies, particularly OpenSocial technologies. It has now been finalized and approved for release.

Hub 2.0 also includes a comprehensive test suite and provides an extensibility architecture that allows software vendors and enterprise customers to customize and extend to meet particular needs. The specification and open source have been designed with enterprise performance requirements in mind. The Hub 2.0 technology includes a fast-performance option for trusted widgets (e.g., widgets developed by the company's own IT department) which allows internal company mashups at scale. The security features in Hub 2.0 build from the Secure Mashup (SMash) open source contribution from IBM Research to OpenAjax Alliance that was announced in 2008.

To help vendors deploy Hub 2.0, the alliance has written two white papers:

-- "Introducing OpenAjax Hub 2.0 and Secure Mashups"

-- "OpenAjax Hub 2.0 and Mashup Assembly Applications"

The alliance also has developed an open source mashup assembly application that showcases how to create a browser-based mashup application that uses OpenAjax Hub 2.0 and OpenAjax Widgets as the key technologies within the application.

The OpenAjax Alliance is an organization of vendors, open source projects and companies using Ajax that are dedicated to the successful adoption of open and interoperable Ajax-based Web technologies. OpenAjax members include more than 100 organizations including Adobe, the Eclipse Foundation, Google, IBM and Microsoft working towards the mutual goal of accelerating customer success with Ajax. To learn more about OpenAjax Alliance, please visit, .

Contact: Colleen Haikes Media Relations for OpenAjax Alliance 415-545-4003 [email protected]

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights