Web Services Security

I recently bought Mark O’Neil, et al. “Web Services Security” book that I read on my way back from JavaOne.

This is an excellent book that everybody dealing with SOA MUST read. We too often hear people mixing up SAML and WS-Security (this was my case anyway) and forgetting about XACML and XKMS.

The first part provides a clear WS introduction and reminds, if needed, the basic security concepts: confidentiality, integrity, nonrepudiation, authentication and authorization. All those concepts are very well illustrated with good examples.

The second part of the book is dedicated to XML security; this is a book about Web Services security after all. I found the chapters about SAML, XACML and XKMS very useful. I must recognize that I only had a surface knowledge about SAML and that I did not know anything about XACML and XKMS.

The third part provides more details about WS-Security. Once again this is good to be reminded about the basic standards on which WS-Security relies i.e. WS-Policy, WS-Trust, WS-Privacy, WS-SecureConversation, WS-Federation and WS-Authorization.

The last parts talk about .Net and passports and provide plenty of examples and case studies.

To summarize, this is an excellent book that is easy to read and that should raise IT consultants’ security awareness. I highly recommend it.

One little remark made in the book that I liked very much is that “Web Services” should be named “Net Services”. This is certainly true that Services are not only exposed over the internet. The name “Net Services” would moreover have been less misleading than “Web Services” when it comes to transport. Indeed people too often forget that SOAP is transport agnostic.

Finally this book helped me better understand where authorization policies should be decided and enforced. I now realize that authorization policy enforcement should not be done at the service level but kept outside the service realm.

JavaOne

Today was my last day at JavaOne. It was an overall very good week.

On the technical side I learned more about the Java Persistence API (JAP) that is the standard API for the management of persistence and object/relational mapping in Java EE 5 platform. JAP should eventually replace JDO.

Service data interaction is also simplified with Service Data Objects SDO. the SDO API lets you work with data from multiple data sources, including relational databases, entity EJB components, XML pages, Web services, etc. SDO also takes care of data change summaries that are used at backend update time to apply the changes back to the data source. This is all cool and better described here and also implemented by this excellent BEA Aqualogic Data Service Platform.

Obviously AJAX was an important theme and I have got the feeling that the trend is to develop Web GUI using AJAX enabled JSF components.

Otherwise, it was also good to get a broad overview of the current product offering. Note that Sonic did not attend JavaOne this year. Hum, I wonder why? This being said, I was not impressed by Fiorano ESB offering.

On the social life side, the JBoss party was excellent and the JavaOne one a bit too big, it is difficult to entertain and feed 14 000 persons.

2006 IEEE SOA Industry Summit

Thomas and I have our paper, titled "Service Contract Template", that has been accepted for the 2006 IEEE SOA Industry Summit.

We don’t know yet who is going but I hope I’ll manage to go as it is very promising. Moreover, I have never been to Chicago before :)