openajax hub 1 1 smash secure mashups
play

OpenAjax Hub 1.1 & SMash (Secure Mashups) Jon Ferraiolo and - PowerPoint PPT Presentation

Dec 05, 2022 •306 likes •741 views

OpenAjax Hub 1.1 & SMash (Secure Mashups) Jon Ferraiolo and Sumeer Bhola IBM March 19, 2008 Agenda Mash Up Recap Introducing OpenAjax Alliance OpenAjax Hub1.0 OpenAjax Hub 1.1 (and SMash) OpenAjax Hub 1.1 and SMash (Secure

  1. OpenAjax Hub 1.1 & SMash (Secure Mashups) Jon Ferraiolo and Sumeer Bhola IBM March 19, 2008

  2. Agenda  Mash Up Recap  Introducing OpenAjax Alliance  OpenAjax Hub1.0  OpenAjax Hub 1.1 (and SMash) OpenAjax Hub 1.1 and SMash (Secure Mashups) 2

  3. Reshaping of Enterprise : emerging “self service” business pattern Web 2.0 Content Ecosystem • enterprise mash-ups - enabling “web apps” creation by LOBs & subject matter experts • ease of access to the data that can be combined in different ways to meet ad hoc business opportunities • designing for re-mixability combine data for diverse information • services transforming into portable, re-mixable • assets & services discover-ability of content both • internet & intranet • exploiting emergent business opportunities

  4. NEO Airport Mashup Airport Location/Status Data Yahoo Map Operator Queries (Colored Icons) Weather Data (Overlay) Airport Airport Detail Data Alert/Warning Runway Data (NOTAM) Data 4

  5. NEO Airport Mashup Airport Location/Status Data Yahoo Map Operator Queries (Colored Icons) Weather Data (Overlay) Airport Airport Detail Data Alert/Warning Runway Data (NOTAM) Data 4

  6. Quick history of Ajax  Late 1990’s to 2001  DHTML (dynamic HTML)  IE5 adds XMLHttpRequest  Microsoft suspends development of IE  2000-2005  Other browsers implement each others’ features and quirks, including XMLHttpRequest  2003-2005  Pioneering Web developers make use of Ajax techniques  Feb 2005: Jesse James Garrett dubs the term “AJAX” OpenAjax Hub 1.1 and SMash (Secure Mashups) 3

  7. Emergence of Ajax toolkits  In beginning, Google (and others) showed the way  Google Suggest, GMail, Google Maps  Initial industry skepticism  OK, fine for Google, but too difficult for everyone else  But almost immediately, Ajax toolkits emerged  Easy-to-use JavaScript libraries that hide browser dependencies  Sometimes with: • Server framework integration (e.g., J2EE/JSF, .NET/ASP) • IDE integration (~10 Eclipse-based Ajax IDEs, MS Atlas/VS, Dreamweaver) • Declarative markup language (e.g., Laszlo/LZX, Nexaweb/XAP)  Today: ~200 Ajax toolkits  Often open source  Each with their own unique approach and advantages OpenAjax Hub 1.1 and SMash (Secure Mashups) 4

  8. Why did the industry form OpenAjax Alliance?  Interoperability problems across Ajax toolkits  Sometimes toolkits step on each other  Almost never do toolkits integrate with each other  Interoperability/integration is necessary for mashups to work  Education  For IT managers and Web developers, Ajax can be complex and confusing – tyranny of choice  Help drive the future of the Ajax ecosystem OpenAjax Hub 1.1 and SMash (Secure Mashups) 5

  9. Agenda  Introducing OpenAjax Alliance  OpenAjax Hub1.0  OpenAjax Hub 1.1 and SMash OpenAjax Hub 1.1 and SMash (Secure Mashups) 7

  10. OpenAjax Hub 1.0  What is it?  Small bit of standard JavaScript (< 3K after compaction)  Enables multiple Ajax runtimes to work together  Version 1.0 features  Ajax library registration • OpenAjax.hub.registerLibrary()  Simple publish/subscribe engine (the pub sub hub) • OpenAjax.hub.publish(topicName, payload) • OpenAjax.hub.subscribe(topicName, callbackFunction) OpenAjax Hub 1.1 and SMash (Secure Mashups) 8

  11. OpenAjax Hub 1.0 – an example Assume multiple Ajax OpenAjax Hub 1.0 Example toolkits: This is a mockup of a Web application that uses UI controls • UTILS.js – Various utils, inc. XHR from multiple Ajax toolkits. • CALENDAR.js – Calendar control • DATAGRID.js – Powerful tables • CHARTS.js – Charting utilities The visual controls need to react to new server data and to each other and update their views appropriately. OpenAjax Hub 1.1 and SMash (Secure Mashups) 9

  12. Example – under the hood <html> <head> ... <script type="text/javascript" src="OpenAjax.js"/> <script type="text/javascript" src="UTILS.js"/> <script type="text/javascript" src="CALENDAR.js"/> <script type="text/javascript" src="CHARTS.js"/> <script type="text/javascript" src="DATAGRID.js"/> <script type="text/javascript"> ... function MyCalendarCallback(...) { OpenAjax.hub.publish("myapp.newdate", newdate); } ... function NewDateCallback(eventname, publisherData, subscriberData) { ...update the given visualization widget... } OpenAjax.hub.subscribe("myapp.newdate", NewDateCallback); ... </script> </head> ... OpenAjax Hub 1.1 and SMash (Secure Mashups) 10

  13. Agenda  Introducing OpenAjax Alliance  OpenAjax Hub1.0  OpenAjax Hub 1.1 and SMash  Hub 1.1: New features  Mashups • Security Issues • SMash technology overview  Hub 1.1: Details OpenAjax Hub 1.1 and SMash (Secure Mashups) 14

  14. OpenAjax Hub 1.1 – New features  OpenAjax Hub 1.0 addresses pub/sub within a single browser frame  OpenAjax Hub 1.1 adds the following:  Pub/sub across frames  Framework for secure mashups (i.e., integrate work from Security Task Force)  Pub/sub between clients and servers (i.e., integrate work from Communications Hub Task Force) OpenAjax Hub 1.1 and SMash (Secure Mashups) 15

  15. OpenAjax Hub 1.1: Concepts  Managed hub-instances  A frame/window can have multiple managed hub-instances  Hub-instance has one manager, multiple clients  Fine-grained policy hooks for manager  For security policy, mediation between incompatible clients etc.  No policy encoded in hub  Providers: Multiple communication providers for client to hub-instance communication  Provider and Hub SPI  Current providers: inline, smash (using code from SMash) OpenAjax Hub 1.1 and SMash (Secure Mashups) 25

  16. Mashups: security issues  Browser same-origin policy prevents interaction across origins  Typical Solution: bypass same-origin policy by  Proxying content (server-side mashups)  Include scripts from another server (client-side mashups)  Non-existent security: mixing active content from multiple trust domains OpenAjax Hub 1.1 and SMash (Secure Mashups) 16

  17. SMash  SMash stands for “Secure Mashups”  Secure handling of 3 rd party mashup components  Runs in today’s browsers (without plugins)  Designed and implemented at IBM Research (beginning of 2007)  Open-sourced (openajaxallianc.sourceforge.net) in August 2007  Research Paper describing SMash in WWW 2008 Conference  High-level APIs, independent of implementation technology  Fragment communication, HTML5 postMessage, Java, Flash etc.  Will still work when browsers add native support for secure cross-frame messaging OpenAjax Hub 1.1 and SMash (Secure Mashups) 20

  18. Security vulnerabilities Web browser URL http://example.com/mashup_builder/my_mashup1 : (trusted) Widget-C Widget-E Communicates in the Company server background with one of the company’s web servers (untrusted) Communicates in the background with a Public server public web server Message passing Widget-A between (untrusted) Communicates in the the background with a Public server widgets public web server What if one of the widgets is malicious? OpenAjax Hub 1.1 and SMash (Secure Mashups) 17

  19. Security vulnerabilities Web browser URL http://example.com/mashup_builder/my_mashup1 : (trusted) Widget-C Widget-E Communicates in the Company server background with one of the company’s web servers (untrusted) Communicates in the background with a Public server public web server Message passing Widget-A between (untrusted) Communicates in the the background with a Public server widgets public web server What if one of the widgets is malicious? OpenAjax Hub 1.1 and SMash (Secure Mashups) 17

  20. SMash: Implementation Approach  Enforcement of component boundaries: Using frame isolation and fragment ids for parent-child frame communication Event Hub implemented by Mashup application   Technical challenges addressed by SMash Enabling communication between frames  Integrity of communication and one-way authentication (component to mashup)  Frame-Phishing attacks  OpenAjax Hub 1.1 and SMash (Secure Mashups) 22

  21. SMash: Abstractions  Isolated browser-side components  A component has named ports: sends/receives messages on its own ports  Event hub  Implements (named) channel abstraction to which ports are wired  No namespace clashes: port naming is local to a component  Security policy specified in component-port wiring OpenAjax Hub 1.1 and SMash (Secure Mashups) 21

  22. OpenAjax Hub 1.1: Architecture Gadget/Widget Support (OpenAjax or …) API Hub 1.1 Code Hub 1.1 SPI smash provider inline provider HTML5 postMessage provider (future)  Gadget/Widget layer sits on top of OpenAjax Hub 1.1  Hub supports composite gadgets with  any level of nesting  any combination of gadget types (inline, iframe, …) e.g. inline gadget-foo composed of iframe gadget-bar and inline gadget-baz OpenAjax Hub 1.1 and SMash (Secure Mashups) 26

  23. OpenAjax Hub 1.1: the steps Web browser URL: http://example.com/mashup_builder/my_mashup1 Mashup container OpenAjax Hub 1.1 and SMash (Secure Mashups) 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Browser as a Secure Platform for Loosely Coupled, Private-Data Mashups Ben Adida C enter for

The Browser as a Secure Platform for Loosely Coupled, Private-Data Mashups Ben Adida C enter for

The Browser as a Secure Platform for Loosely Coupled, Private-Data Mashups Ben Adida C enter for R esearch on C omputation and S ociety Harvard University 24 May 2007 web mashups : interesting combinations. Aggressive web 2.0

745 views • 18 slides
Remaining Hazards and Mitigating Patterns for Secure Mashups in EcmaScript 5 Mark S. Miller and

Remaining Hazards and Mitigating Patterns for Secure Mashups in EcmaScript 5 Mark S. Miller and

Remaining Hazards and Mitigating Patterns for Secure Mashups in EcmaScript 5 Mark S. Miller and the Cajadores Overview The Mashup Problem The Offensive and Defensive Code Problems JavaScript (EcmaScript) gets simpler ES3, ES5, ES5/strict,

716 views • 52 slides
Enterprise Mashups why do I care? Ross Mason, MuleSoft About Me Agenda What? Why? How?

Enterprise Mashups why do I care? Ross Mason, MuleSoft About Me Agenda What? Why? How?

Enterprise Mashups why do I care? Ross Mason, MuleSoft About Me Agenda What? Why? How? Mashups Mashup Stats What is being mashed REST Mashups JSON Services RSS/ATOM Database Feeds Email XML Web Pages Enterprise Mashups + +

880 views • 36 slides
Edge Mashups for Clinical Collaboration Michael Siegenthaler Ken Birman Edge Mashups for

Edge Mashups for Clinical Collaboration Michael Siegenthaler Ken Birman Edge Mashups for

Edge Mashups for Clinical Collaboration Michael Siegenthaler Ken Birman Edge Mashups for Clinical Collaboration Platform objective: empower non-programmers to build applications for real-time collaboration Research challenges: share

330 views • 6 slides
Web Map Mashups: Cartography of Insurgence? Alan McConchie Dr. Brian Klinkenberg University of

Web Map Mashups: Cartography of Insurgence? Alan McConchie Dr. Brian Klinkenberg University of

Web Map Mashups: Cartography of Insurgence? Alan McConchie Dr. Brian Klinkenberg University of British Columbia Spatial Knowledge and Information - Canada Saturday February 16 2008 Few Questions What are mashups? ow have they evolved? Who

605 views • 21 slides
Interac(vely Building Geospa(al Mashups Craig A. Knoblock University of Southern California

Interac(vely Building Geospa(al Mashups Craig A. Knoblock University of Southern California

Interac(vely Building Geospa(al Mashups Craig A. Knoblock University of Southern California Work in collabora(on with Shubham Gupta, Pedro Szekely, and RaHapoom Tuchinda 1 MASHUPS A website or application that combines content from more

505 views • 50 slides
From the makers of the smash-hit: Discretising the velocity distribution for directional Who

From the makers of the smash-hit: Discretising the velocity distribution for directional Who

From the makers of the smash-hit: Discretising the velocity distribution for directional Who ordered all these operators? dark matter experiments or Pi in the sky Bradley J. Kavanagh (IPhT - CEA/Saclay) CYGNUS 2015 - 4th June

821 views • 31 slides
Adam Barth (Berkeley) Collin Jackson (Stanford) William Li (Berkeley) Mashups Two web sites

Adam Barth (Berkeley) Collin Jackson (Stanford) William Li (Berkeley) Mashups Two web sites

Adam Barth (Berkeley) Collin Jackson (Stanford) William Li (Berkeley) Mashups Two web sites collaborating to create user experience Housing maps Yelp (uses Google Maps) iGoogle Mashups are everywhere Advertising just a

466 views • 20 slides
Effizienz-Optimierung daten-intensiver Data Mashups am Beispiel von Map-Reduce Pascal Hirmer

Effizienz-Optimierung daten-intensiver Data Mashups am Beispiel von Map-Reduce Pascal Hirmer

Effizienz-Optimierung daten-intensiver Data Mashups am Beispiel von Map-Reduce Pascal Hirmer BTW 2017 BigDS Workshop Towards optimizing the efficiency of data- intensive data mashups based on the example of Map-Reduce Pascal Hirmer BTW

313 views • 13 slides
SMASH - A new hadron transport approach for heavy ion collisions 54th International Winter

SMASH - A new hadron transport approach for heavy ion collisions 54th International Winter

SMASH - A new hadron transport approach for heavy ion collisions 54th International Winter Meeting on Nuclear Physics, Bormio January 26, 2016 Vinzent Steinberg HGS-HIRe Helmholtz Graduate School for Hadron and Ion Research 1 / 22 Outline

618 views • 35 slides
How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

DIMACS Workshop On Secure Routing March 10, 2010 How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing Protocols? $ $ Sharon Goldberg Microsoft Research &amp; Boston University y Michael Schapira

701 views • 54 slides
How to run a successful hackathon? Lessons learned from 8 hackathon/bug smash events in China

How to run a successful hackathon? Lessons learned from 8 hackathon/bug smash events in China

How to run a successful hackathon? Lessons learned from 8 hackathon/bug smash events in China About us He Ruan Fred Li Jianfeng Ding Tencent Huawei Intel Chief Architect OpenStack Upstream OpenStack Engineering Tencent Cloud TStack Team

380 views • 17 slides
Clutter Reduction Methods for Point Symbols in Map Mashups Jari Korpi, Paula Ahonen-Rainio

Clutter Reduction Methods for Point Symbols in Map Mashups Jari Korpi, Paula Ahonen-Rainio

Clutter Reduction Methods for Point Symbols in Map Mashups Jari Korpi, Paula Ahonen-Rainio 28.8.2013 Contents 1. Aim of the study: Clutter reduction for map mashups 2. Classification of the clutter reduction methods 3. Criteria for

292 views • 13 slides
Alpha Presentation Money Smash Chronicle The Capstone Experience Team MSUFCU Wyatt Hillman Amy

Alpha Presentation Money Smash Chronicle The Capstone Experience Team MSUFCU Wyatt Hillman Amy

Alpha Presentation Money Smash Chronicle The Capstone Experience Team MSUFCU Wyatt Hillman Amy Leung Cory Madaj Brandon Max Yuming Zhang Department of Computer Science and Engineering Michigan State University Spring 2016 From

414 views • 9 slides
HTTP TP DESYNC ATTACKS SM SMASH SHING INTO THE CE CELL NEXT DOOR James Kettle Th The Fear

HTTP TP DESYNC ATTACKS SM SMASH SHING INTO THE CE CELL NEXT DOOR James Kettle Th The Fear

HTTP TP DESYNC ATTACKS SM SMASH SHING INTO THE CE CELL NEXT DOOR James Kettle Th The Fear ar Th Theor ory Q) What topic am I really scared of? A) HTTP Request Smuggling Hiding Wookiees in HTTP First documented by Watchfire in 2005

783 views • 32 slides
Multidimensional Ontology-Based Personalization Modeling for Automatic Generation of Mashups in

Multidimensional Ontology-Based Personalization Modeling for Automatic Generation of Mashups in

Multidimensional Ontology-Based Personalization Modeling for Automatic Generation of Mashups in Next-Generation Portals Fedor Bakalov University of Jena Birgitta Knig-Ries Andreas Nauerz IBM Research and Development Martin Welsch

263 views • 22 slides
VIEW SYSTEM Roberto Beraldi View Users interact with an application mostly through a

VIEW SYSTEM Roberto Beraldi View Users interact with an application mostly through a

VIEW SYSTEM Roberto Beraldi View Users interact with an application mostly through a Graphical User Interface (GUI) (Other means include: voice, sounds, etc.) GUI is a graphical drawing of one or more graphical objects Wiew s are

1.58k views • 69 slides
CS 528 Mobile and Ubiquitous Computing Lecture 2: Intro to Android Programming Emmanuel Agu

CS 528 Mobile and Ubiquitous Computing Lecture 2: Intro to Android Programming Emmanuel Agu

CS 528 Mobile and Ubiquitous Computing Lecture 2: Intro to Android Programming Emmanuel Agu Students: Please Introduce Yourselves! Name Status: grad/undergrad, year Relevant background: e.g. coal miner Relevant courses taken:

1.32k views • 112 slides
How the Plasma Active Human Interface Guidelines Makes the Life of Developers and Users Easier

How the Plasma Active Human Interface Guidelines Makes the Life of Developers and Users Easier

How the Plasma Active Human Interface Guidelines Makes the Life of Developers and Users Easier 2012-06-30 Akademy 2012 Thomas Pfeiffer 1 About Me History with KDE: Joined Season of Usability 2008 (KDE HIG and UI Patterns)

384 views • 11 slides
PORTRAIT PAINTING USING ACTIVE TEMPLATES Mingtian Zhao, Song-Chun Zhu University of California,

PORTRAIT PAINTING USING ACTIVE TEMPLATES Mingtian Zhao, Song-Chun Zhu University of California,

PORTRAIT PAINTING USING ACTIVE TEMPLATES Mingtian Zhao, Song-Chun Zhu University of California, Los Angeles Lotus Hill Institute http://bit.ly/portrait-painting Portrait Painting Particularity Structural Acute perception by human

467 views • 18 slides
T * est Tanja E.J. Vos So#ware Tes+ng and Quality Group (StaQ) Vakgroep Informa+ca Research

T * est Tanja E.J. Vos So#ware Tes+ng and Quality Group (StaQ) Vakgroep Informa+ca Research

T * est Tanja E.J. Vos So#ware Tes+ng and Quality Group (StaQ) Vakgroep Informa+ca Research center for So#ware Produc+on Methods (PROS) Open Universiteit Universidad Politecnica de Valencia Netherlands Spain T * est What is

389 views • 26 slides
RIPE NCC Measurements and Tools Training Course Training Services | RIPE NCC | January 2017

RIPE NCC Measurements and Tools Training Course Training Services | RIPE NCC | January 2017

RIPE NCC Measurements and Tools Training Course Training Services | RIPE NCC | January 2017 Schedule Coffee, Tea 09:00 - 09:30 Break 11:00 - 11:15 Lunch 13:00 - 14:00 Break 15:30 - 15:45 End 17:30 2 Introduction Name Number

1.44k views • 126 slides
Interactive Media Retrieval in Mobile Communication Robert van Kommer Real, Listen and Watch

Interactive Media Retrieval in Mobile Communication Robert van Kommer Real, Listen and Watch

Interactive Media Retrieval in Mobile Communication Robert van Kommer Real, Listen and Watch Abstract http://diuf.unifr.ch/diva/3emeCycle07/ All-in-one mobile phones have changed our social communication behaviors and infotainment habits.

868 views • 34 slides
PyGTK + ipython + parasite quick tour chrysn &lt;chrysn@fsfe.org&gt; 2010-11-11 GTK+ Language

PyGTK + ipython + parasite quick tour chrysn &lt;chrysn@fsfe.org&gt; 2010-11-11 GTK+ Language

PyGTK + ipython + parasite quick tour chrysn &lt;chrysn@fsfe.org&gt; 2010-11-11 GTK+ Language bindings Getting started More GTK features The boring stuff at the beginning of a presentation G IMP T ool k it (created 1997 for GIMP)

505 views • 24 slides

More recommend