OpenAjax salutes (and provides feedback to) OMTP/BONDI

Blogged by: Jon Ferraiolo on March 28, 2009 at 2:16 pm

OpenAjax Alliance is very pleased to see the progress by one of its industry partner organizations, the OMTP, with its BONDI initiative.

BONDI provides industry standard APIs to access mobile device services, such as geolocation, address book, email, SMS, camera and the phone dialer. BONDI also defines a security manager architecture and a standard policy XML file format. The primary goals with BONDI are threefold: (1) enable next-generation rich mobile applications by allowing the Web Runtime (i.e., Ajax) to access the same APIs that are available to compiled languages such as C and Java, (2) ensure that security and privacy concerns are addressed, (3) package the APIs in the form of an industry standard and promote adoption of the standard such that developers will not have to write separate content for different mobile platforms. The APIs defined by BONDI target both Web pages and mobile widgets, particularly widgets that conform to the emerging W3C Widgets standard.

OpenAjax Alliance salutes the efforts and accomplishments to date with the BONDI specs and open source, along with the W3C’s efforts with its Widgets spec. The combination of these two initiatives promise to transform the mobile industry.

In the past, OpenAjax Alliance has helped the BONDI initiative with OpenAjax early work (Spring 2008) on use cases and requirements and subsequent work on a Mobile Device API Style Guide.

Recently (Feb-Mar 2009), OpenAjax Alliance has assembled Ajax industry leaders to review the BONDI 1.0 Release Candidate specifications and collect feedback on the OpenAjax Alliance member wiki.

Accessibility Task Force launched

Blogged by: Jon Ferraiolo on March 28, 2009 at 1:36 pm

In Februrary 2009, OpenAjax Alliance launched a new task force, the Accessibility Task Force, whose mission is to promote better Ajax tooling for the creation of accessible Rich Internet Applications (RIAs).

In response to the growing adoption of Rich Internet Applications (RIAs), the industry has rallied together to produce new accessibility standards, such as the W3C WAI Accessible Rich Internet Application Specification – WAI-ARIA and the W3C Web Content Accessibility Guidelines 2 – WCAG2. Although accessibility tools providers are moving towards support for WCAG 2, compliance is not fully addressed or understood in a RIA environment. These disconnects have resulted in deficiencies in today’s accessibility test tools.

The workplan for the Accessibility Task Force is as follows:

  • Develop a standard set of accessibility validation rules, geared toward meeting compliance to WCAG 2 using WAI-ARIA and WAI-ARIA Best Practices. These rules must be consumable by major accessibility test tools.
  • Develop best practices for reporting accessibility compliance by accessibility test tools
  • Develop IDE best practices to assist developers to produce Accessible RIAs

Revised OpenAjax Widget spec

Blogged by: Jon Ferraiolo on March 28, 2009 at 10:48 am

The Gadgets Task Force, working in partnership with the IDE Working Group, is near completion of a major redesign of the mashup-oriented widget features found in the OpenAjax Metadata Specification.

The widget redesign effort, which was approved at alliance’s face-to-face meeting in October 2008, reflects implementation experience gained during the 2008 InteropFest and careful review against other widget technologies in the industry, both proprietary widget formats and the approaches used by OpenSocial Gadgets. The redesign effort has resulted in confirmation of many of the existing features (e.g., the ‘jsClass’ and ’sandbox’ attributes), along with various changes:

  • Elimination of the type attribute on the content element – Previously, the type attribute could be either fragment (a snippet of HTML) or page (a complete HTML page). However, implementation experience, along with insights gained from the Security Task Force efforts around mashup authentication and authorization, convinced the Gadgets TF to drop support of the page option in OpenAjax Metadata 1.0. For widget developers who can only provide the widget in the form of a complete HTML page, the alliance will provide a sample shim widget within its open source project that shows how to use a nested IFRAME to support widgets that are delivered as complete HTML pages.
  • Replacement of the view attribute with a mode attribute on the content element – Previously, OpenAjax Widgets attempted to provide a view attribute that is compatible with OpenSocial Gadgets, but the alliance concluded that the feature it needed (i.e., custom UI for edit and help) was a whole different thing that OpenSocial’s views. As a result, the view attribute has been dropped and a new mode attribute has been added. (Note: a future version of OpenAjax Widgets might restore the view attribute.)
  • Redesigned and simplified widget APIs – The new widget APIs rely on standardized callback function names on the widget prototype object. The Gadgets TF concluded that the naming convention approach will be simpler and easier for widget developers.

For a complete accounting of the changes, see the OpenAjax Mashable Widgets wiki page.

The OpenAjax Metadata Specification specification, including OpenAjax Widgets, is scheduled for completion in spring 2009.

Revamped APIs for Hub 2.0

Blogged by: Jon Ferraiolo on March 28, 2009 at 10:04 am

The Interoperability Working Group has completed a major redesign of the Managed Hub feature within OpenAjax Hub 2.0. The redesign effort, which started at alliance’s face-to-face meeting in October 2008, reflects implementation experience gained during the 2008 InteropFest.

The biggest change is from a plugin-oriented approach to a class hierarchy approach. The new approach is both simpler and more easily extensible than the previous approach.

Here are some characteristics of the new Managed Hub APIs:

  • Revised terminology – The new APIs are centered on two notions, Containers and HubClients. A Container is a manager-side object that wraps a particular client. Each container must supply a companion HubClient, which is a client-side object that wraps the client’s runtime logic. The Container’s manager side object communicates with its companion HubClient through private, container-specific protocols. There are two built-in Containers, the IframeContainer (for untrusted clients) and the InlineContainer (for trusted clients), which match up with the two built-in HubClients, the IframeHubClient and the InlineHubClient.
  • Extensible class hierarchy approach – Instead of the previous notion of “plug-in providers”, the new APIs provide an extensible class hierarchy that allow for “Custom Containers”. A Custom Container must implement the base interfaces for Container and HubClient.
  • Scoped callbacks – The new APIs provide the ability to set the scope (i.e., the value of the “this” variable) for all callback functions.
  • Completeness – The new APIs reflect implementation experience regarding the various utility APIs that developers will need. The various object constructors provide a rich set of configuration parameters, and the APIs provide the various getter functions that an application developer will need at runtime.

Security Task Force Progress on Mashup Authentication and Authorization

Blogged by: Jon Ferraiolo on March 28, 2009 at 9:23 am

At the beginning of 2009, the Security Task Force at OpenAjax Alliance launched a new initiative around Mashup Authentication and Authorization, with an emphasis on single sign-on workflows. The goal of this initiative is to perform a deep study of real-life use cases of technologies in use today, such as login/password dialogs, OpenID, SAML, and OAuth, and then develop a set of incremental technical standards (if necessary), best practices, and educational sample applications. The focus is on how these technologies relate to the Alliance’s key mashup technologies, OpenAjax Hub 2.0 and OpenAjax Widgets.

One of the complexities with today’s single sign-on technologies (OpenID, SAML and OAuth) is the use of URL redirection. In typical practice, these technologies requires that a Web page be redirected to/from the host application server and some other server(s) (e.g., an OpenID server). It is technically difficult to combine these redirection-oriented technology approaches with IFRAME isolation approaches to mashup security, such as what is used by OpenAjax Hub 2.0, particularly when attempting to achieve interoperable mashups and widgets (i.e., components that work across multiple different products from multiple vendors).

As of March 2009, the Security Task Force has sketched out sample workflows and has developed initial versions of sample applications that illustrate some techniques to addressing the combination of OpenAjax Hub 2.0 with single sign-on technologies. The sample applications will be finished in the spring of 2009 and will show how to use single sign-on techniques in conjunction with both OpenAjax Hub 2.0 and OpenAjax Widgets.

Hub 1.1 renamed to Hub 2.0

Blogged by: Jon Ferraiolo on March 28, 2009 at 8:12 am

The Interoperability Working Group has officially changed the name of “OpenAjax Hub 1.1″ to “OpenAjax Hub 2.0″. (Here is the updated Hub 2.0 spec.)

OpenAjax Hub 2.0 extends the publish/subscribe engine from Hub 1.0 to provide a client-side framework for secure mashups.

Hub 2.0 introduces the notion of a “Managed Hub”, where the host application can isolate (sandbox) each individual mashup component. With a Managed Hub, all communications between components pass through the host application’s security manager, which allows or denies each publish or subscribe request. The Managed Hub allows for safe integration of untrusted 3rd party components.

One of the key use cases for Hub 2.0 is Enterprise mashups, where a Web page consists of an assembly of multiple self-contained Web components (aka “widgets” or “gadgets”), . Hub 2.0 is particularly well-suited for mashup assembly tools, which allow line-of-business users to visually assemble a mashup by dragging widgets from a widget palette and dropping them onto the mashup canvas.

OpenAjax Hub 2.0 is upwardly compatible with OpenAjax Hub 1.0; therefore, Hub 2.0 continues to offer the same small (<3K after compaction), toolkit-neutral, publish/subscribe engine as Hub 1.0. In Hub 2.0, this lightweight pub/sub engine is called the "Unmanaged Hub". The Unmanaged Hub is well-suited to programmer-built mashups where all components are known to be trustworthy.

The alliance provides both a complete Hub 2.0 specification for the APIs and functional behavior of OpenAjax Hub 2.0, along with an open source reference implementation. The alliance is pushing for completion of Hub 2.0 in early spring 2009.

In parallel with its work on Hub 2.0, the alliance is also near completion on its complementary technology, OpenAjax Metadata 1.0, which defines industry standard XML metadata for JavaScript APIs and Web widgets (“OpenAjax Widgets”). The combination of OpenAjax Hub 2.0 and OpenAjax Widgets provides a comprehensive technology suite for mashup interoperability and mashup security.