Security is often seen as a big barrier to enterprise mashups: With many of them built
by non-IT staff and integrating Web services from all over the
Internet, there's no guarantee that they won't accidentally leak
important data. IBM aims to assuage these fears with SMash, a mechanism that will help mashups authenticate Ajax Web services. Released today as an open-source project at Open Ajax, IBM plans to incorporate the code into its forthcoming Lotus
security problems if the mashup source isn't trusted.
SMash gives Ajax apps a way to confirm the identity of each mashup
component, then decide whether to trust it. Exactly how this decision is made is left up to Ajax developers. A simple application could allow
users to build mashups from only a few whitelisted services, while a
more complex one could use another trusted Web service that acts like a certificate authority. IBM plans to host the first such trust service,
but multiple competing services are likely if the system takes off.
Like other Open Ajax projects, SMash is published under the very liberal Apache license, so enterprise could also build their own services for in-house use.
Developers also have a choice of underlying authentication algorithms
and protocols, with SMash itself not specifying whether to use (for
example) Kerberos or PKI, or whether SAML is necessary. This could cause interoperability problems, as every Web service in a mashup needs to be using the technology and all in the same way. For the system to take off, IBM will need to work with Web service providers like Google and Yahoo to ensure support and settle on common protocols. So far, the only commercial product certain to support it is IBM's Lotus Mashups, due in summer 2008.
Because SMash only affects Web services accessed via a mashup, it
doesn't directly address common Web-based application vulnerabilities like cross-site scripting, which result from a user directly visiting a malicious Web site directly. There's also a possibility that even an authenticated site could contain a malicious payload, whether due to a programming mistake or because it contains user-generated content. For this reason, IBM suggests that it be used alongside other security mechanisms such as scanning the content of each mashup component for possible attacks.
Users wanting to try out the actual code can download it from SourceForge as part of OpenAjax, while IBM Research has more details in a technical whitepaper.