Even if you're using an older version of a web services platform that doesn't support WS-Security, you can always add support for WS-Security using XML security gateways (such as Forum, IBM/DataPower, Intel/Sarvega, Layer 7, and Reactivity) and web services management (WSM) solutions (such as Actional, AmberPoint, Blue Titan, Infravio, and SOA Software).
Although WS-Security is an important piece of the puzzle, it does not and will not provide a complete security solution for web services. As the first article indicates, one of the most challenging aspects to security is that legacy applications use a variety of authentication and authorization mechanisms. Even if all your SOAP interactions use WS-Security to pass authentication information, you still need to transform those claims into the appropriate claims recognized by the applications being accessed. For example, you might use SAML for your SOAP interactions, but you still need to map the SAML assertions to RACF in order to access a legacy CICS transaction.
Anne
On 10/26/05, Keith Harrison-Broninski <[EMAIL PROTECTED]> wrote:
The author writes:
> The knowledgeable reader despairs for a safe and effective approach,
> and indeed one does exist, as described in WS-SECURITY. The single
> troublesome detail preventing the widespread acceptance of this
> approach is that it is universally unimplemented in the target
> systems. Over time however, we do believe WS-SECURITY will be
> implemented by many enterprise systems and the situation will
> gradually improve. It will never be perfect, though, and security
> hacks like those I describe above will still be required if Service
> Layers are to be constructed.
The folks at Liberty Alliance and Internet 2 might have something to say
about the "universal" lack of WS-SECURITY implementations. If you are
looking to a standards-based approach, you might like to check out my
own article on the topic for ebizq:
http://www.ebizq.net/topics/systems_management/features/6249.html
--
All the best
Keith
http://keith.harrison-broninski.info
Gervas Douglas wrote:
><<Security is a very large topic for Service Layer implementers, and
>the scope is too broad for a short article like this one. So I'll
>just discuss the most obvious aspect of it – user authentication.
>
>If the Service Layer is to have great value, it needs to provide a
>homogeneous authentication approach. A typical goal would be to have
>authorization decisions somehow externalized so that the Service
>Layer could handle that automatically in the context of the
>universal authentication scheme.
>
>Unfortunately, what we normally see is a much more difficult
>situation. Legacy systems were built over a long period of time by
>people who did not know each other, who did not share common goals,
>who did not understand enterprise architecture, and to whom security
>was a last-minute add-on. As a result, the various authentication
>schemes that back-end systems implement are eclectic and thus hard
>to mold into a seamless whole, which is the goal of the service
>layer.
>
>Examples of legacy authentication approaches that we found included
>standard mainframe RACF or ACF, single-system userid/password
>repository and even one that used a "trusted IP". Trusted IP means
>that if your IP address is in their table, you can just come on in.>>
>
>You can find this at:
>
> http://www.ebizq.net/hot_topics/soa/features/6358.html
>
>Gervas
>
------------------------ Yahoo! Groups Sponsor --------------------~-->
Fair play? Video games influencing politics. Click and talk back!
http://us.click.yahoo.com/T8sf5C/tzNLAA/TtwFAA/NhFolB/TM
--------------------------------------------------------------------~->
Yahoo! Groups Links
<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/service-orientated-architecture/
<*> To unsubscribe from this group, send an email to:
[EMAIL PROTECTED]
<*> Your use of Yahoo! Groups is subject to:
http://docs.yahoo.com/info/terms/
SPONSORED LINKS
| Service-oriented architecture | Computer monitoring software | Free computer monitoring software |
YAHOO! GROUPS LINKS
- Visit your group "service-orientated-architecture" on the web.
- To unsubscribe from this group, send an email to:
[EMAIL PROTECTED]
- Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.
