cetis Whats all this for? Its not needed for every service, but sometimes plain SOAP isnt enough They overlap a heck of a lot Some are more useful than others Some basic categories: –Enhancements to security –Enhancements to message delivery –Enhancements to service management
cetis Security Problem: How do we make our WS transactions more secure?
cetis Security Answers –Use address translation and proxies –Use wire-level encryption via TLS over HTTP –Overflow protection at router with max message sizes –Validate payloads using XSD –Timestamp messages, and use NTP to synchronise times across servers
cetis Security Answers –Sign payloads using XML-DS –Encrypt message parts using XML-Enc –Authenticate incoming messages using HTTP authentication (basic/digest) –Authenticate incoming messages using WS-Security token exchange –Authenticate incoming messages by processing SAML Authentication Assertions –Use WS-SecureConversation to manage the session credentials
cetis Delivery Problem: How can we improve the reliability and manageability of delivering messages?
cetis Delivery Answers: –provide routing and addressing information using WS-Routing and WS-Addressing –Use WS- Reliability or WS-ReliableMessaging or ebMS to ensure once- only guaranteed delivery –Enable event-driven messaging using WS-Events or WS-Eventing or WS-Notification –Manage target state synchronisation using WS- ResourceProperties and WS-ResourceLifetime
cetis Management Problem: How do we better manage our web services, in particular how do we make dynamic discovery work?
cetis Management Answers: –Identity member services using WS-Federation and WS-Trust –Identity service policies using WS-Policy –Identify service security capabilities using WS-SecurityPolicy –Sequence the transaction flows using BPEL4WS, WS-BusinessActivity, WS- Coordination and/or WS- AtomicTransaction
cetis Q: Do we really need all this stuff?
cetis A: No, not really
cetis Well, maybe some of it WS-Security is really useful at transporting usernames and password digests (or Kerberos tickets) so you can authenticate agent users to service providers SAML is really useful for providing signed assertions about authentication when you dont want to transport credentials
cetis And… XML-Enc and XML-DS are really useful for securing message parts from snooping and interference
cetis …. And the rest? Eventually it will be nice to do event-driven messaging, using something like WS-Eventing, when the message brokers play nicely, likewise WS-Reliability/ReliableMessaging BPEL4WS looks like its worth keeping an eye on
cetis The IMS approach Basic WS-I, plus some standard application- level error codes: –WSDL 1.1 –SOAP 1.1 WS-Security: –However you want to use it WS-EverythingElse: –No comment