In February, a group of technology vendors, including BEA Systems, Google, IBM, and Oracle, formed the OpenAjax Alliance, with the goal of promoting the popular AJAX (Asynchronous JavaScript and XML) web development technique. Since then, more vendors, such as Sun Microsystems, have joined, and the alliance has launched its OpenAjax Hub project to boost interoperability among AJAX libraries. One of the founders of OpenAjax was David Boloker, who holds the titles of distinguished engineer and CTO of emerging internet technologies at the IBM software group. He also serves on the alliance's steering committee. Infoworld editor at large Paul Krill spoke with Boloker at the AJAXWorld Conference and Expo last week about AJAX, the security issues around it, and the possibilities of other vendors such as Microsoft and Apple joining the alliance.

Infoworld: Why did you found OpenAjax?

Boloker: If you go back nine months, the key problem that folks were having was, one: What exactly is the definition of AJAX? The second problem was: How do you get a message out to all parties that would be cross-vendor? The third thing was: From a technology standpoint, how can you basically start looking at what was going to happen when looking across toolkits?

So you can have one person's UI widget working with your UI widget, and these are all in JavaScript. And each and every one of the toolkits today, actually, expects to own the whole page; so they're going to basically take control, and expect to; then, when you leave their page, they lose control. Well, what really is going to have to happen is, you may like someone's Accordion control from one toolkit and want to use it, for example, with Tibco's. So one of the things which we started working on was something called OpenAjax Hub inside of OpenAjax, which is aimed at allowing that interoperability, and that's going to be an open source plan.

So those were the reasons why we started OpenAjax. Now, when you start looking at the bigger picture here and at what IBM is doing in this space, you'll see that it is in parallel to starting OpenAjax; what we did at IBM is, we started a project inside IBM to work on trying to bring down the level of complexity of writing and debugging applications, AJAX applications in particular. And the way we did it was, we built a piece of code called the AJAX Tooling Framework which went on top of Eclipse, which is the core foundation for tooling that we are using, and we can demo the AJAX Tooling Framework with the whole idea behind it [being] to bring down that level of not only complexity but also to allow someone to write a lot more AJAX code in a much shorter amount of time and get it published faster.

Infoworld: What about Microsoft - which has its AJAX technology, Atlas - not being a part of OpenAjax? Are there any more overtures being made? Are they just going to sit on the sidelines like they seem to do with other industry initiatives, like Eclipse? What's going on there with Microsoft?

Boloker: I actually just spoke with Microsoft yesterday about joining OpenAjax, and they've taken back the details and are thinking about it, and they'll get back to us.

Infoworld: What do you think the impact is of Microsoft not participating? You have this massive PC software company, and they're not participating. Do you think it's detrimental for them to not participate, or does it not make a difference?

Boloker: Well it makes a difference because I'd actually like to have them at the table. They have some very, very skilled developers, and they've thought about the area a lot, just as Tibco has and IBM has and JackBe has and others. It would be actually great if we actually can get everyone to the table, and I'm really hoping that we can do it.

Infoworld: Do you think you will?

Boloker: Optimistic.

Infoworld: But they have not made any commitments to joining at this point?

Boloker: None. They're thinking about it at this point.

Infoworld: Are there any other major companies on the sidelines? I can't think of any right now.

Boloker: There's plenty of people that are in discussions with us, and those people in discussions with us are folks like Apple. Let's see, who else would be in it? We're looking at Cisco as another. Cisco is not core to the web piece of this. The other companies are mostly in Asia.

Infoworld: What about the issues of security around AJAX? Apparently there are a lot of them. What are you doing about that?

Boloker: Security around AJAX is actually security around the web. So there's many sets of issues here, and one of the things which we're actually going to cover inside of OpenAjax is a whole discussion on security, at the meeting at the end of the week. And one of the topics is not only from a web standpoint of cross-application scripting, which has been a problem in the web for many, many years, when you have cross-application scripting between servers.

But this whole concept of when you're doing mashups, if you're doing mashups all within your establishment or customer shop or you have trusted parties, mashups are secure. It's when you do unsecure mashups between, say, myself and someone I don't really know; that other person's JavaScript could be misformed, or it could try to take control of my machine. And this is really where a question of needing to do some technology work between ourselves, the companies, as well as maybe even in the W3C to look at the question: How do I basically bring an access list to give someone approval to use the mashup or not to use the mashup?

Infoworld: Apparently there are issues with inexperienced developers, there are issues with the cross-site scripting, there are issues with web services. Even Jesse James Garrett who founded the term AJAX said there are a lot of issues and we're going to have to almost patch them one by one. So how can people rely on AJAX if it's got all these security issues? I talked to one AJAXWorld attendee yesterday, and she said she wasn't using AJAX yet, but the one thing she knew was that it apparently had a lot of security concerns.

Boloker: So there are security concerns. Actually, if you look at the security concerns you have when doing web services, there actually was work done for web services in the area of WS-Security. A lot of folks who are looking at this are looking at it for the first time. Well, the folks that actually have looked at service-oriented architecture said, "Well, if I'm actually going to start calling something, I want to, No. 1, ensure that I can call the resource, and then if I can call the resource that I'm actually entitled to, go deeper and actually access the data." The second piece of this is this cross-site scripting; this has been a known problem in the web, and it's a server-side problem that people have been dealing with.

Now, the other issues that you start looking at in the area of mashups, again, this is - you're absolutely correct. You have people that are writing JavaScript that don't really know how to write it, and if you create a mashup, you could end up with a serious problem. Now, if you look at the mashups that have been created up to this point, they've been done by very highly skilled and very knowledgeable web programmers who know what they're doing. Now, one of the reasons why we founded OpenAjax was this exact problem was when Scott Dietzen, CTO of Zimbra, who helped co-found OpenAjax, and I looked at this problem in late 2005, we pretty much decided that the number of problems that would be confronting people, you'd probably find one in 40 developers actually having all of the right capabilities to actually write good AJAX and secure AJAX.

Infoworld: So what are you going to do?

Boloker: The first thing we started doing is we're attacking the problem not one at a time, we're doing it in multiple fronts. The first thing was, How do we basically build AJAX, and how do we debug AJAX? And how do we see what's going from the client side of this to the server? And that's what IBM was working on, and Bob Goodman, a senior programmer at IBM, was doing with the AJAX Tooling Framework.

The second side of this is that we needed to get the knowledge out about what are the issues. You don't want to scare people away, but at the same token, you need to basically educate them. And this, again, was part of this whole side of what OpenAJAX was about. The third side of this is, How do you then look at it from an industry standpoint of coming out with the best practices? So this is a document that people [would] write to give to AJAX programmers. And then the fourth thing is to look for the technology side of it. How can we basically start securing the technology? And that work is under way right now. And while there are no great answers at this exact second, there's a very good understanding of the problem, and people are discussing what's the right way to do it.

Infoworld: What is the attraction of AJAX?

Boloker: AJAX enables you in a web browser to actually have some of the same qualities of an interaction that you used to have only in a fat client setting.

Infoworld: How does it do that?

Boloker: Well, what happens is, AJAX is actually, if you want to look at a set of standards that were to form a programming model, and those standards start off with DHTML and JavaScript and XML and there's Cascading Style Sheets, there's web services, there's all of these things that are falling into this, and each and every one of these is a standard. And the use of them all together creates a toolkit. And today there are probably 200-some-odd toolkits, between closed source and open source, and each of the toolkits does things very differently. So the first thing you have to worry about is, How does it work within Firefox? How does it work within Internet Explorer? These are all different. And then, once you get beyond that, how do I get it render effectively? Then you can start looking at, well, What are the qualities of the AJAX implementation? Can I do drag-and-drops? Can you do cut and paste, for example, from the browser and move it somewhere else? But the key thing you start looking at is, if you [look at] a great example of an AJAX application, and there are many on the web today, there is one that started off with the folks from a company acquired by Yahoo called Oddpost. And the Yahoo Beta Mail actually uses Oddpost, some of the core pieces. There's a group of developers that did very early work on finding how do I get a very, very high-quality Outlook-type mail client into a browser? And they basically were acquired by Yahoo and became Beta Mail. And if you look at what goes on inside Yahoo Mail, the first thing that's so apparent to you is you have the full services of a drag-and-drop all within the browser. The second thing you start looking at is the setting that you're having is they allow you to do RSS feeds. You can look at RSS and Atom feeds. I mean, they're just one example.

Infoworld: Before AJAX, or theoretically before AJAX, you had Flash. Do you see Flash as a competitor, as a complementary? It just seems like it is kind of a competitive technology even if Adobe says it's not.

Boloker: I was going to tell you to ask Adobe what their opinion was. Flash is yet another example of a web-based technology, and there are reasons why customers might want to use Flash to have an environment, a full environment, and you know there are reasons why people might want to do something just purely in DHTML and JavaScript. I mean the first obvious reason is DHTML and JavaScript [are] installed on everyone else's desktop today and is immediately used, whereas Flash was a plug-in. Now, that plug-in happens to be pretty much on most people's machines.

Infoworld: AJAX is a technique. Is there going to be an AJAX 2.0, 3.0? Do you see an evolution of it, or is it just that this is the technique for doing something and if you get too far away from it, then it's not AJAX anymore?

Boloker: Well, it's a programming paradigm, and with all programming paradigms, whether it's AJAX 2.0 or AJAX 3.0, it started off as AJAX. And it'll always be AJAX. And what you're going to do is learn, as an industry we're all going to learn nuances to do something easier or make it much more secure, the points you brought up before.

Infoworld: So OpenAjax is not going to come out with the next version of AJAX, right?

Boloker: No, OpenAjax is definitely not going to come out with another version of AJAX. OpenAjax is really going to be looking at [this] from a full industry partnership on how to move AJAX forward. Now, one might say that as we start looking at AJAX Hub and things like that, that people might say that, well, that's another version of AJAX. But in reality it's the same version of AJAX. We're just working to build it out.

Infoworld: Any final thoughts that you want to add?

Boloker: I think my only final words really come back to, I've been working in technology for many years, and as with any technology that's coming on the scenes, there are initially problems. Some of the problems have to do with, first of all, education of the audience, and the second thing has to do always with security, manageability, scalability, and things like that. Our friends from Google proved that AJAX can scale through Google Maps. For that matter, in a lot of cases I think that they've proved that you can run a pretty secure shop with AJAX. There are security problems that the industry.