AJAX (Asynchronous JavaScript and XML) in the enterprise faces many challenges, including security and questions on whether it actually is a better application deployment choice, according to panelists at TheServerSide Java Symposium on Thursday. “When it comes to protecting the application and what lies behind it from the user, I don’t think AJAX really changes the security story at all,” said panelist Glenn Vanderburg, a self-employed consultant. “It’s a mistake to send data up to the browser that the user shouldn’t see.” But the question AJAX raises is how to protect the user from the application, he said. “An AJAX application can do things for itself without explicit interaction and explicitly being told by the user.” AJAX requests to the server should look like a traditional request, Vanderburg said. Panelist Edward Burns, senior staff engineer at Sun Microsystems, cited the Java sandbox as a mechanism for application security. There is such a sandbox for JavaScript, but there are questions about its adherence to specifications, Burns said.AJAX applications do create issues, said Steve Maryka, CTO of Icesoft. If there is difficulty testing large pieces of JavaScript, there will be difficulty in verifying that it is a secure application, Maryka said. On the subject of scalabilty, panelist Dion Almaer, a co-founder of the Ajaxian Web site, said AJAX offered superior scalability. Panelist Neal Ford, application architect with ThoughtWorks, said AJAX applications can be more scalable and tunable.Browsers of tomorrow, meanwhile, will be superior, Almaer said. Future browsers will allow real development and handle heavier loads. “We’re going to have to rethink the way that we do all this stuff,” Almaer said. He reiterated what he said two weeks ago at the Desktop Matters conference about desktop applications and Web applications moving closer together. “We just had a show, Desktop Matters. Our contention is all of the worlds are kind of mixing together,” Almaier said. But he said he would bet on the “open” Web winning out. Web applications are attractive for commerce, according to Vanderburg. “If you can lure them into your Web page, you might have somebody locked in as your customer for life,” he said. But Ford said some complex desktop applications were meant for the desktop. “Something like Adobe Photoshop, you could never create an AJAX version of Photoshop because it’s so rich,” Ford said. Also at the show, another set of panelists discussing open source were curious about the upcoming GNU General Public License (GPL) 3 and the existing Lesser GNU General Public License (LGPL).“There are certain restrictions that [GPL 3] places on hosters and certain restrictions that it places on things like digital rights management and stuff like that that people just feel uncomfortable with,” said panelist John Newton, CEO and chairman of Alfresco, in an interview after the session. The LGPL raises concerns about linking of different pieces of software, Newton said. Also on the agenda for Thursday afternoon was a session on Rife, an open source component framework for building Java Web applications. Software Development