openajax hub 1 1 smash secure mashups
play

OpenAjax Hub 1.1 & SMash (Secure Mashups) Jon Ferraiolo and - PowerPoint PPT Presentation

Dec 05, 2022 •306 likes •741 views

OpenAjax Hub 1.1 & SMash (Secure Mashups) Jon Ferraiolo and Sumeer Bhola IBM March 19, 2008 Agenda Mash Up Recap Introducing OpenAjax Alliance OpenAjax Hub1.0 OpenAjax Hub 1.1 (and SMash) OpenAjax Hub 1.1 and SMash (Secure

  1. OpenAjax Hub 1.1 & SMash (Secure Mashups) Jon Ferraiolo and Sumeer Bhola IBM March 19, 2008

  2. Agenda  Mash Up Recap  Introducing OpenAjax Alliance  OpenAjax Hub1.0  OpenAjax Hub 1.1 (and SMash) OpenAjax Hub 1.1 and SMash (Secure Mashups) 2

  3. Reshaping of Enterprise : emerging “self service” business pattern Web 2.0 Content Ecosystem • enterprise mash-ups - enabling “web apps” creation by LOBs & subject matter experts • ease of access to the data that can be combined in different ways to meet ad hoc business opportunities • designing for re-mixability combine data for diverse information • services transforming into portable, re-mixable • assets & services discover-ability of content both • internet & intranet • exploiting emergent business opportunities

  4. NEO Airport Mashup Airport Location/Status Data Yahoo Map Operator Queries (Colored Icons) Weather Data (Overlay) Airport Airport Detail Data Alert/Warning Runway Data (NOTAM) Data 4

  5. NEO Airport Mashup Airport Location/Status Data Yahoo Map Operator Queries (Colored Icons) Weather Data (Overlay) Airport Airport Detail Data Alert/Warning Runway Data (NOTAM) Data 4

  6. Quick history of Ajax  Late 1990’s to 2001  DHTML (dynamic HTML)  IE5 adds XMLHttpRequest  Microsoft suspends development of IE  2000-2005  Other browsers implement each others’ features and quirks, including XMLHttpRequest  2003-2005  Pioneering Web developers make use of Ajax techniques  Feb 2005: Jesse James Garrett dubs the term “AJAX” OpenAjax Hub 1.1 and SMash (Secure Mashups) 3

  7. Emergence of Ajax toolkits  In beginning, Google (and others) showed the way  Google Suggest, GMail, Google Maps  Initial industry skepticism  OK, fine for Google, but too difficult for everyone else  But almost immediately, Ajax toolkits emerged  Easy-to-use JavaScript libraries that hide browser dependencies  Sometimes with: • Server framework integration (e.g., J2EE/JSF, .NET/ASP) • IDE integration (~10 Eclipse-based Ajax IDEs, MS Atlas/VS, Dreamweaver) • Declarative markup language (e.g., Laszlo/LZX, Nexaweb/XAP)  Today: ~200 Ajax toolkits  Often open source  Each with their own unique approach and advantages OpenAjax Hub 1.1 and SMash (Secure Mashups) 4

  8. Why did the industry form OpenAjax Alliance?  Interoperability problems across Ajax toolkits  Sometimes toolkits step on each other  Almost never do toolkits integrate with each other  Interoperability/integration is necessary for mashups to work  Education  For IT managers and Web developers, Ajax can be complex and confusing – tyranny of choice  Help drive the future of the Ajax ecosystem OpenAjax Hub 1.1 and SMash (Secure Mashups) 5

  9. Agenda  Introducing OpenAjax Alliance  OpenAjax Hub1.0  OpenAjax Hub 1.1 and SMash OpenAjax Hub 1.1 and SMash (Secure Mashups) 7

  10. OpenAjax Hub 1.0  What is it?  Small bit of standard JavaScript (< 3K after compaction)  Enables multiple Ajax runtimes to work together  Version 1.0 features  Ajax library registration • OpenAjax.hub.registerLibrary()  Simple publish/subscribe engine (the pub sub hub) • OpenAjax.hub.publish(topicName, payload) • OpenAjax.hub.subscribe(topicName, callbackFunction) OpenAjax Hub 1.1 and SMash (Secure Mashups) 8

  11. OpenAjax Hub 1.0 – an example Assume multiple Ajax OpenAjax Hub 1.0 Example toolkits: This is a mockup of a Web application that uses UI controls • UTILS.js – Various utils, inc. XHR from multiple Ajax toolkits. • CALENDAR.js – Calendar control • DATAGRID.js – Powerful tables • CHARTS.js – Charting utilities The visual controls need to react to new server data and to each other and update their views appropriately. OpenAjax Hub 1.1 and SMash (Secure Mashups) 9

  12. Example – under the hood <html> <head> ... <script type="text/javascript" src="OpenAjax.js"/> <script type="text/javascript" src="UTILS.js"/> <script type="text/javascript" src="CALENDAR.js"/> <script type="text/javascript" src="CHARTS.js"/> <script type="text/javascript" src="DATAGRID.js"/> <script type="text/javascript"> ... function MyCalendarCallback(...) { OpenAjax.hub.publish("myapp.newdate", newdate); } ... function NewDateCallback(eventname, publisherData, subscriberData) { ...update the given visualization widget... } OpenAjax.hub.subscribe("myapp.newdate", NewDateCallback); ... </script> </head> ... OpenAjax Hub 1.1 and SMash (Secure Mashups) 10

  13. Agenda  Introducing OpenAjax Alliance  OpenAjax Hub1.0  OpenAjax Hub 1.1 and SMash  Hub 1.1: New features  Mashups • Security Issues • SMash technology overview  Hub 1.1: Details OpenAjax Hub 1.1 and SMash (Secure Mashups) 14

  14. OpenAjax Hub 1.1 – New features  OpenAjax Hub 1.0 addresses pub/sub within a single browser frame  OpenAjax Hub 1.1 adds the following:  Pub/sub across frames  Framework for secure mashups (i.e., integrate work from Security Task Force)  Pub/sub between clients and servers (i.e., integrate work from Communications Hub Task Force) OpenAjax Hub 1.1 and SMash (Secure Mashups) 15

  15. OpenAjax Hub 1.1: Concepts  Managed hub-instances  A frame/window can have multiple managed hub-instances  Hub-instance has one manager, multiple clients  Fine-grained policy hooks for manager  For security policy, mediation between incompatible clients etc.  No policy encoded in hub  Providers: Multiple communication providers for client to hub-instance communication  Provider and Hub SPI  Current providers: inline, smash (using code from SMash) OpenAjax Hub 1.1 and SMash (Secure Mashups) 25

  16. Mashups: security issues  Browser same-origin policy prevents interaction across origins  Typical Solution: bypass same-origin policy by  Proxying content (server-side mashups)  Include scripts from another server (client-side mashups)  Non-existent security: mixing active content from multiple trust domains OpenAjax Hub 1.1 and SMash (Secure Mashups) 16

  17. SMash  SMash stands for “Secure Mashups”  Secure handling of 3 rd party mashup components  Runs in today’s browsers (without plugins)  Designed and implemented at IBM Research (beginning of 2007)  Open-sourced (openajaxallianc.sourceforge.net) in August 2007  Research Paper describing SMash in WWW 2008 Conference  High-level APIs, independent of implementation technology  Fragment communication, HTML5 postMessage, Java, Flash etc.  Will still work when browsers add native support for secure cross-frame messaging OpenAjax Hub 1.1 and SMash (Secure Mashups) 20

  18. Security vulnerabilities Web browser URL http://example.com/mashup_builder/my_mashup1 : (trusted) Widget-C Widget-E Communicates in the Company server background with one of the company’s web servers (untrusted) Communicates in the background with a Public server public web server Message passing Widget-A between (untrusted) Communicates in the the background with a Public server widgets public web server What if one of the widgets is malicious? OpenAjax Hub 1.1 and SMash (Secure Mashups) 17

  19. Security vulnerabilities Web browser URL http://example.com/mashup_builder/my_mashup1 : (trusted) Widget-C Widget-E Communicates in the Company server background with one of the company’s web servers (untrusted) Communicates in the background with a Public server public web server Message passing Widget-A between (untrusted) Communicates in the the background with a Public server widgets public web server What if one of the widgets is malicious? OpenAjax Hub 1.1 and SMash (Secure Mashups) 17

  20. SMash: Implementation Approach  Enforcement of component boundaries: Using frame isolation and fragment ids for parent-child frame communication Event Hub implemented by Mashup application   Technical challenges addressed by SMash Enabling communication between frames  Integrity of communication and one-way authentication (component to mashup)  Frame-Phishing attacks  OpenAjax Hub 1.1 and SMash (Secure Mashups) 22

  21. SMash: Abstractions  Isolated browser-side components  A component has named ports: sends/receives messages on its own ports  Event hub  Implements (named) channel abstraction to which ports are wired  No namespace clashes: port naming is local to a component  Security policy specified in component-port wiring OpenAjax Hub 1.1 and SMash (Secure Mashups) 21

  22. OpenAjax Hub 1.1: Architecture Gadget/Widget Support (OpenAjax or …) API Hub 1.1 Code Hub 1.1 SPI smash provider inline provider HTML5 postMessage provider (future)  Gadget/Widget layer sits on top of OpenAjax Hub 1.1  Hub supports composite gadgets with  any level of nesting  any combination of gadget types (inline, iframe, …) e.g. inline gadget-foo composed of iframe gadget-bar and inline gadget-baz OpenAjax Hub 1.1 and SMash (Secure Mashups) 26

  23. OpenAjax Hub 1.1: the steps Web browser URL: http://example.com/mashup_builder/my_mashup1 Mashup container OpenAjax Hub 1.1 and SMash (Secure Mashups) 28

Recommend

The Browser as a Secure Platform for Loosely Coupled, Private-Data Mashups Ben Adida C enter for

The Browser as a Secure Platform for Loosely Coupled, Private-Data Mashups Ben Adida C enter for

The Browser as a Secure Platform for Loosely Coupled, Private-Data Mashups Ben Adida C enter for R esearch on C omputation and S ociety Harvard University 24 May 2007 web mashups : interesting combinations. Aggressive web 2.0

745 views • 18 slides
Remaining Hazards and Mitigating Patterns for Secure Mashups in EcmaScript 5 Mark S. Miller and

Remaining Hazards and Mitigating Patterns for Secure Mashups in EcmaScript 5 Mark S. Miller and

Remaining Hazards and Mitigating Patterns for Secure Mashups in EcmaScript 5 Mark S. Miller and the Cajadores Overview The Mashup Problem The Offensive and Defensive Code Problems JavaScript (EcmaScript) gets simpler ES3, ES5, ES5/strict,

716 views • 52 slides
Enterprise Mashups why do I care? Ross Mason, MuleSoft About Me Agenda What? Why? How?

Enterprise Mashups why do I care? Ross Mason, MuleSoft About Me Agenda What? Why? How?

Enterprise Mashups why do I care? Ross Mason, MuleSoft About Me Agenda What? Why? How? Mashups Mashup Stats What is being mashed REST Mashups JSON Services RSS/ATOM Database Feeds Email XML Web Pages Enterprise Mashups + +

880 views • 36 slides
Edge Mashups for Clinical Collaboration Michael Siegenthaler Ken Birman Edge Mashups for

Edge Mashups for Clinical Collaboration Michael Siegenthaler Ken Birman Edge Mashups for

Edge Mashups for Clinical Collaboration Michael Siegenthaler Ken Birman Edge Mashups for Clinical Collaboration Platform objective: empower non-programmers to build applications for real-time collaboration Research challenges: share

330 views • 6 slides
Web Map Mashups: Cartography of Insurgence? Alan McConchie Dr. Brian Klinkenberg University of

Web Map Mashups: Cartography of Insurgence? Alan McConchie Dr. Brian Klinkenberg University of

Web Map Mashups: Cartography of Insurgence? Alan McConchie Dr. Brian Klinkenberg University of British Columbia Spatial Knowledge and Information - Canada Saturday February 16 2008 Few Questions What are mashups? ow have they evolved? Who

605 views • 21 slides
Interac(vely Building Geospa(al Mashups Craig A. Knoblock University of Southern California

Interac(vely Building Geospa(al Mashups Craig A. Knoblock University of Southern California

Interac(vely Building Geospa(al Mashups Craig A. Knoblock University of Southern California Work in collabora(on with Shubham Gupta, Pedro Szekely, and RaHapoom Tuchinda 1 MASHUPS A website or application that combines content from more

505 views • 50 slides
From the makers of the smash-hit: Discretising the velocity distribution for directional Who

From the makers of the smash-hit: Discretising the velocity distribution for directional Who

From the makers of the smash-hit: Discretising the velocity distribution for directional Who ordered all these operators? dark matter experiments or Pi in the sky Bradley J. Kavanagh (IPhT - CEA/Saclay) CYGNUS 2015 - 4th June

821 views • 31 slides
Adam Barth (Berkeley) Collin Jackson (Stanford) William Li (Berkeley) Mashups Two web sites

Adam Barth (Berkeley) Collin Jackson (Stanford) William Li (Berkeley) Mashups Two web sites

Adam Barth (Berkeley) Collin Jackson (Stanford) William Li (Berkeley) Mashups Two web sites collaborating to create user experience Housing maps Yelp (uses Google Maps) iGoogle Mashups are everywhere Advertising just a

466 views • 20 slides
Effizienz-Optimierung daten-intensiver Data Mashups am Beispiel von Map-Reduce Pascal Hirmer

Effizienz-Optimierung daten-intensiver Data Mashups am Beispiel von Map-Reduce Pascal Hirmer

Effizienz-Optimierung daten-intensiver Data Mashups am Beispiel von Map-Reduce Pascal Hirmer BTW 2017 BigDS Workshop Towards optimizing the efficiency of data- intensive data mashups based on the example of Map-Reduce Pascal Hirmer BTW

313 views • 13 slides
SMASH - A new hadron transport approach for heavy ion collisions 54th International Winter

SMASH - A new hadron transport approach for heavy ion collisions 54th International Winter

SMASH - A new hadron transport approach for heavy ion collisions 54th International Winter Meeting on Nuclear Physics, Bormio January 26, 2016 Vinzent Steinberg HGS-HIRe Helmholtz Graduate School for Hadron and Ion Research 1 / 22 Outline

618 views • 35 slides
How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

DIMACS Workshop On Secure Routing March 10, 2010 How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing Protocols? $ $ Sharon Goldberg Microsoft Research &amp; Boston University y Michael Schapira

701 views • 54 slides
How to run a successful hackathon? Lessons learned from 8 hackathon/bug smash events in China

How to run a successful hackathon? Lessons learned from 8 hackathon/bug smash events in China

How to run a successful hackathon? Lessons learned from 8 hackathon/bug smash events in China About us He Ruan Fred Li Jianfeng Ding Tencent Huawei Intel Chief Architect OpenStack Upstream OpenStack Engineering Tencent Cloud TStack Team

380 views • 17 slides
Clutter Reduction Methods for Point Symbols in Map Mashups Jari Korpi, Paula Ahonen-Rainio

Clutter Reduction Methods for Point Symbols in Map Mashups Jari Korpi, Paula Ahonen-Rainio

Clutter Reduction Methods for Point Symbols in Map Mashups Jari Korpi, Paula Ahonen-Rainio 28.8.2013 Contents 1. Aim of the study: Clutter reduction for map mashups 2. Classification of the clutter reduction methods 3. Criteria for

292 views • 13 slides
Alpha Presentation Money Smash Chronicle The Capstone Experience Team MSUFCU Wyatt Hillman Amy

Alpha Presentation Money Smash Chronicle The Capstone Experience Team MSUFCU Wyatt Hillman Amy

Alpha Presentation Money Smash Chronicle The Capstone Experience Team MSUFCU Wyatt Hillman Amy Leung Cory Madaj Brandon Max Yuming Zhang Department of Computer Science and Engineering Michigan State University Spring 2016 From

414 views • 9 slides
HTTP TP DESYNC ATTACKS SM SMASH SHING INTO THE CE CELL NEXT DOOR James Kettle Th The Fear

HTTP TP DESYNC ATTACKS SM SMASH SHING INTO THE CE CELL NEXT DOOR James Kettle Th The Fear

HTTP TP DESYNC ATTACKS SM SMASH SHING INTO THE CE CELL NEXT DOOR James Kettle Th The Fear ar Th Theor ory Q) What topic am I really scared of? A) HTTP Request Smuggling Hiding Wookiees in HTTP First documented by Watchfire in 2005

783 views • 32 slides
Multidimensional Ontology-Based Personalization Modeling for Automatic Generation of Mashups in

Multidimensional Ontology-Based Personalization Modeling for Automatic Generation of Mashups in

Multidimensional Ontology-Based Personalization Modeling for Automatic Generation of Mashups in Next-Generation Portals Fedor Bakalov University of Jena Birgitta Knig-Ries Andreas Nauerz IBM Research and Development Martin Welsch

263 views • 22 slides
Rapid Development of Spreadsheet-based Web Mashups Woralak Kongdenfha 1 , Boualem Benatallah 1 ,

Rapid Development of Spreadsheet-based Web Mashups Woralak Kongdenfha 1 , Boualem Benatallah 1 ,

Rapid Development of Spreadsheet-based Web Mashups Woralak Kongdenfha 1 , Boualem Benatallah 1 , Julien Vayssi ` e re 2 , e gis Saint-Paul 3 , Fabio Casati 4 R 1 CSE, University of New South Wales, Sydney, Australia 2 SAP Research, Brisbane,

511 views • 27 slides
Mashups, SaaS, and Cloud Computing: Evolutions and Revolutions in the Integration Landscape

Mashups, SaaS, and Cloud Computing: Evolutions and Revolutions in the Integration Landscape

Mashups, SaaS, and Cloud Computing: Evolutions and Revolutions in the Integration Landscape Boualem Benatallah (University of New South Wales, Australia /University of Blaise Pascal, France) Based on tutorial at ICDE09 with: Fabio Casati

984 views • 96 slides
Building Mashups by Example Rattapoom Tuchinda Doctoral Defense July 22, 2008 1 Whats a

Building Mashups by Example Rattapoom Tuchinda Doctoral Defense July 22, 2008 1 Whats a

Building Mashups by Example Rattapoom Tuchinda Doctoral Defense July 22, 2008 1 Whats a Mashup? A website or application that combines content from more than one source into an integrated experience [wikipedia] a) LA crime map b) zillow.com

1.03k views • 79 slides
Building Mashups Craig Knoblock University of Southern California Thanks to Rattapoom Tuchinda

Building Mashups Craig Knoblock University of Southern California Thanks to Rattapoom Tuchinda

Building Mashups Craig Knoblock University of Southern California Thanks to Rattapoom Tuchinda Whats a Mashup? A website or application that combines content from more than one source into an integrated experience [wikipedia] a) LA crime map

759 views • 38 slides
Enterprise Information Mashups: Integrating Information, Simply Anant Jhingran CTO, Information

Enterprise Information Mashups: Integrating Information, Simply Anant Jhingran CTO, Information

Enterprise Information Mashups: Integrating Information, Simply Anant Jhingran CTO, Information Management IBM IBM Confidential Outline Web 2.0 and Info 2.0 Example and the research problems we see IBM efforts in this area

664 views • 30 slides
CrossSong puzzle: Generating and unscrambling music mashups with real-time interactivity Jordan

CrossSong puzzle: Generating and unscrambling music mashups with real-time interactivity Jordan

CrossSong puzzle: Generating and unscrambling music mashups with real-time interactivity Jordan B. L. Smith, Graham Percival, Jun Kato, Masataka Goto, and Satoru Fukayama Media Interaction Group National Institute of Advanced Industrial Science

533 views • 37 slides
IT452 Advanced Web and Internet Systems Set 11: Mashups (emphasis on Google tools) Examples

IT452 Advanced Web and Internet Systems Set 11: Mashups (emphasis on Google tools) Examples

IT452 Advanced Web and Internet Systems Set 11: Mashups (emphasis on Google tools) Examples www.trulia.com www.housingmaps.com www.vizband.co.uk Student examples For more info: Maps : h

201 views • 9 slides
IT452 Advanced Web and Internet Systems Set 11: Mashups (emphasis on Google tools) Examples

IT452 Advanced Web and Internet Systems Set 11: Mashups (emphasis on Google tools) Examples

IT452 Advanced Web and Internet Systems Set 11: Mashups (emphasis on Google tools) Examples www.housingmaps.com www.trulia.com www.vizband.co.uk Student examples For more info: Mashup Examples: www.programmableweb.com

468 views • 17 slides

More recommend