WS-Security: IBM First at the Plate

** This thread discusses the article: WS-Security: IBM First at the Plate **
What is the revolutionary part of WS-Security? I dont know anything about the WS-Security initiative, so perhaps you could tell us a little more about what is new with WS-Security. "Up until the WS-Security specification was written last April, there was no widely accepted standard for XML to provide true confidentiality and integrity in Web services applications using the Simple Object Access Protocol (SOAP)." JAX-RPC and JAXM are both based on SOAP and are secure when using mutual authentication over SSL and optional client-certificate authentication. By using client-certificate authentication combined with http over SSL, you get data encryption, server authentication, message integrity, and client cert conforming to the X.509 PKI standard. All of this is available NOW, it is free, and is a published standard. Further, it is supported on Tomcat which has deep market acceptance - seems pretty widely accepted to me. I did have to chuckle over the assertion that IBM is keeping Sun at arms length in part due to the worry over the "...opportunity for Sun to significantly change the playing field of any standard at its own discretion." I guess IBM is better off partnering with Microsoft. After all, Microsoft doesnt change their standards or engage in any such tinkering, right? Alex Garrison

WS-Security: IBM First at the Plate

** This thread discusses the article: WS-Security: IBM First at the Plate **
Alex, There are many things that I'm still learning about WS-Security, so your questions continue to prod me to learn more. WS-Security is a specification that IBM and Microsoft hope will become a standard. It isnt' a standard yet, but it's their intention to make it so. The focus of this specification is to describe a single-message security language that provides for message security that may assume an established session, security context and/or policy agreement. According to IBM: The Web services security language must support a wide variety of security models. The following list identifies the key driving requirements for this specification: Multiple security tokens for authentication or authorization Multiple trust domains Multiple encryption technologies End-to-end message-level security and not just transport-level security My understanding of the specification is that it provides a mechanism to integrate and communicate the means of security that is being used. For instance, JAX-RPC and JAXM may be secure when using "mutual authentication over SSL etc." but the complexity of integrating and matching security protocols through SOAP becomes increasingly complex. I believe what IBM and Microsoft are employing is a syntax within SOAP whereby the complexity of interfacing can be automated. IBM says: "The goal of WS-Security is to enable applications to construct secure SOAP message exchanges. This specification is intended to provide a flexible set of mechanisms that can be used to construct a range of security protocols; in other words this specification intentionally does not describe explicit fixed security protocols." Regarding IBM's and Sun's relationship - vis a vi Microsoft - I think the issue has to do with how Sun has worked with IBM in the past and its re-engineering of J2EE specifications in the past. Engineers within IBM tell me that there was a major effort underway two years ago to work with Sun towards IBM's e-Business goals using Java. However, in the middle of the effort, Sun suddenly started going in a completely different direction, leaving a lot of IBMers -- and a significant amount of development -- in the lurch. As a result, these IBM developers have become wary. By comparison, IBM's relationship with Microsoft simply recognizes the obvious thrust that Microsoft has been making in Web services, and the WS-Security specification is a joint effort to nail those projects down and move work forward. Secondly, IBM has a major investment in Microsoft technology in its e-Server line, where as it has no such investment in a similar line of hardware supporting Sun. So, as in any large organization that's working with another large organization, there's room for establishing common goals and interests, regardless of past infractions of trust or consistency. Does this mean that IBM has a love/hate relationship with both Microsoft and Sun. Well, hello... Of course it does! But business is business, and IBM's goals are to move all of its platforms forward on the e-Business/e-Server model, and it will pick and choose its partners -- who it will woo and who it will slight -- based upon those business goals. In the case of WS-Security, IBM obviously feels that Microsoft has had more to offer than Sun. Thanks for the questions and the input. Thomas M. Stockwell The Complete WS-Security Specification Description Document