Extending the Web's Reach
By Michiel de Bruijn
IBM's alphaWorks Web site is a repository
for research projects. Some are more ready for prime time than others, but all of them are available for free. The site gives you direct access to the latest ideas developing inside IBM. One of the showcased products is Sash Weblications for Windows, which is described as "empowering you to create tomorrow's hottest network applications today." Despite the hype and overly cute "Weblications" moniker, Sash is a very useful and high-quality project that has received surprisingly little publicity since its first version release in 1999.
Sash is a development environment driving a proprietary runtime module (available for Windows and Linux with GNOME) that uses a combination of HTML, client-side scripting, and everyone's favorite data exchange TLA: XML.
Some people might be tempted to dismiss Sash as a gratuitous attempt to reinvent Java. That would be missing the point entirely:
Weblications 2.0 for Windows
cost: Free technology preview
|Pros: Excellent functionality. Complete development
||Cons: No published development roadmap. Imperfect security model.
Sash isn't intended to be a general-purpose language, but rather a way to quickly build attractive, feature-rich client applications on top of an existing Web back-end infrastructure. Think of it as delivering on the original promise of HTML-based applications (back before the realities of browser incompatibilities dashed those hopes), while adding lots of useful features, such as full desktop integration, email access, and offline usageall with effortless deployment.
Apps on the Run
The Sash Weblications Manager is a combination of a control panel, task manager, runtime module, and deployment agent. It's responsible for keeping itself and all installed applications running and up-to-date, and lets the user configure various aspects of its operation.
To get an idea of Sash's capabilities, peruse the IBM Weblications Gallery. This contains diverse demo apps, like a distributed Buzzword Bingo game, a utility for setting window opacity on Windows 2000, and a banking client.
While experimenting with these samples, I began thinking that this kind of technology could enable a new wave of malicious mobile code if improperly applied. And unfortunately, IBM's client security implementation is a bit of a mixed blessing.
On one hand, Sash uses a robust "sandbox" with highly granular permission settings. You have full control over whether a Weblication can use the local file system, clipboard, or COM subsystem, among other things. It's even possible to restrict network connections based on URL patterns. The Weblications manager also indicates the level of access requested by the application that a user is about to download.
Unfortunately, there doesn't seem to be a way to lock down these settings based on a (corporate) security policy. In some situations, the ability to deny system access to all Weblications not being served from a certain trusted location would be sufficient to ensure code integrity. IBM, however, chose to rely on digital publisher signatures, similar to Microsoft's Authenticode scheme. Sash expects the end-user to accept or reject Weblications based
on the certificate associated with this signature.
This overlooks two important issues. First, there may be a malicious code publisher who's willing to obtain valid code by signing credentials using an innocuous-sounding, but nonetheless fake identity. This person could subsequently share one signing key with all of his or her virus-writer buddies. Second, the percentage of users who actually bother to read certificate details is minimal. This is especially true because Sash presents the confirmation dialog box for each piece of code in the same sequence as its license agreement. In such a scenario, a user's natural aversion to legal mumbo-jumbo makes him or her even more likely to just click "Yes" and "I agree," without reading the entire contents of the dialog box.
To design Sash applications, you need the Weblications Development Kit (WDK), which includes a complete, integrated development environment. This tool is similar to some other Web-design environments you may have seen. It offers a visual-design mode, complete with an object inspector, a source view, and a project manager.
All basic HTML constructs are nicely supported by the base package. Extensions available in the form of Developer Packs add functionality, for example, an LDAP client, Registry access, screen savers, and Simple Object Access Protocol (SOAP). If you still find some IDE functionality lacking, you can extend IDE using Sash itself.
You can troubleshoot your Sash apps by using the integrated debugger, which logs events, lets you monitor variable and attribute values, and breaks into your source code whenever an error occurs.
Finally, the deployment manager generates the compressed and digitally signed packages that will be downloaded by your end-users. A minor issue that might annoy some developers and/or their managers is that Sash doesn't have a way to obfuscate source code. This means that inquisitive users who are delving through your cache directory could discover more about your app than you might like.
All things considered, Sash is an excellent program with stable and complete implementation that lets Web developers deliver significantly enhanced applications to their customers without having to learn Java, C++, Visual Basic, or another RAD-capable language.
My only reservations about this product concern its security model, the fact that it's currently positioned as an alpha-level technology, and that there's no published roadmap for further development. Once IBM manages to fix and clarify these issues, Sash Weblications has "killer intranet tool" written all over it.
Michiel lives in Rotterdam, The Netherlands. He's a networking and development specialist for an international media group and he welcomes questions and comments. You can reach him at firstname.lastname@example.org.