April 2004 - Posts
I just stumbled upon this one
on Darrel Norton's Blog
. Yet another development methology. I have to read more about it, but it seems inspired by XP, Agile and similar thinking.
This evening I'm going to hunt for webcasts about WS-Security. I'll try to find fresh ones, starting on Microsoft sites:
Architect Webcast: Securing Web Services (interwise recording)
Support WebCast: Introduction to Microsoft Web Services Enhancements (Windows streaming media)
This one is good if you've been into soap headers and such before:
Support WebCast: Microsoft ASP.NET: Advanced XML Web Services Using ASP.NET (Windows streaming media)
And this is an older, but very good article that describes the different proposed security specs around web services.
If you know of good webcasts about WS-Security, please comment.
If someone out there missed it :)
"Web Services Security 1.0, the foundation specification for creating a security infrastructure around Web services, officially became a standard Monday, paving the way for corporate adoption."
InfoWorld April 20, 2004
One of many articles is available here.
I'm having a hot discussion with a fellow at work about different ways to protect a Web Service and we're of course having different opinions about this. If you look at the Web Service method or end-point as a resource available on a network and you want to protect that resourse from being called by someone who isn't allowed - how should you do it?
My friend works for a LARGE company that has a web access management product and he is a product specialist, and this product is pretty good at protecting URL sources. So, he naturally suggests that we use this product and put an access layer in front of all our Web Services. Each Web Service proxy/client must then add a special HTTP header or encrypted cookie that this access management agent looks for before it's allowed to access the service method. Each Web Service method has a unique URL or URI so we just configure it as a protected resource in the access management catalogue and put it's agent (which is a ISAPI filter) on each Web Service server. We don't want to protect the resource with basic authentication because we prefer not to store uid and pw on the machine. Each end user will be using a web browser and also be authenticated through this product, so each user will have a unique and encrypted cookie which can be used to protect each Web Service as well.
This will probably work pretty fine, and you get rid of access management stuff from the Web Service implementation. But I don't like this solution, for several reasons, but mainly:
1. I personally believe that each service should be autonomous and take care of it's own user authentication. In this case I would send the user id as an encrypted token in a SOAP header or implement WS-Security, and do user authentication in a SOAP filter or similar so that Web Service method implementors didn't have to worry about it. Keep out of band data away from message implementation. Besides, isn't this what WS-Security is all about?
2. I don't like to have HTTP headers or cookies added to the SOAP message. Doesn't that make you transport protocol dependant? What if the services were moved to the back end of MQ or something similar in the future?
What do you think? Do you see any other reasons to use or not use an access management layer in front of and separated from the Web Service?
If you know about any good resources on the Net (papers, talks, web cast etc.) that brings this matter up, please write a comment about it. Pat Helland talks much about autonomous services and fiefdoms, and how they should take care of everything themselves, but I've not read or heard much about protecting access to Web Services.
The security guys here also banned access to the soap chat server I set up on the Internet to be able to chat with my old pals... correct, they don't allow Messenger or any other chat-programs. I know I'm not allowed to do chat-stuff over the Internet according to the IT-rules here, but gaaaaahhh!!! I must be able to chat a little with my friends, my mailbox is flooding as it is already!
I'm thinking of moving my chat Web Service (which is already protected by userid and password in a SOAP header) to another location and encrypting the messages. How hard can it be in .NET?
I've been doing too little programming and too much Visio and Word lately, it's getting to me. I guess I have to think up some hobby project or other - any good ideas anyone? I don't have enough spare time to join some bigger projects on the Net though. I've been through a large project like that already when I spent 2 years coding up the UnrealTournament TC called Unreal Fortress. It was way fun but took too much time.
There must be other programmers like me out there that gets thrown into system architecture land instead of software architecture. Way too many nodes and arrows, and way too few classes and uses ;)
Pat Helland is always good to both read and listen to. This web cast may have been up there on the Net for some time now, but I must have missed it somehow. The presentation is called Metropolis : Envisioning the Service-Oriented Enterprise, and it available here http://msdn.microsoft.com/architecture/enterprise/default.aspx . Personally I think this is one of Pat's better performances, if you're into system / software architecture and Web Services - don't miss it.
EDIT: Part 2 of the Metropolis talk is available on this page: http://msdn.microsoft.com/library/default.asp?url=/seminar/mmcfeed/mmcdisplayfeed.asp?lang=en&product=103364&audience=100402
I must give praise to a really nice little tool that I'm sure many of you have used the last years - the NTSVC.OCX control. The control was a sample control made by some guy at Microsoft a long time ago and was provided with the January 1997 edition of MSDN. I'm not sure where or if it is available for download anymore, but boy, has it made life easier for me the last 6 years! I had pretty complex VB6 services running on an NT4 box for over a year without a single stop or reboot of the machine. In the end we had to install a service pack and some hotfixes for NT4 on the machine.
Someone at Microsoft once coded this thingy, I'm sure some of you know who it is. If so, send my best regards - that control has been of great use.
I'll be the first to admit that integration between different Microsoft server products and stuff you develop yourself on the Windows platform isn't always easy, but compared to the PAIN it is to do the same stuff on the Java/J2EE platform it's nothing!
I've been sitting for days now trying to get Vignette 7 (a java portal server) running on top of BEA Weblogic 8.1 (J2EE app server) against an Oracle database and having Vignette running in a mixed mode with RSA ClearTrust for authentication where the ClearTrust agent is installed as an ISAPI filter on an IIS web server on another machine (for security reasons). GAHH! Forget about any nice looking configuration tools here, we're talking heavy Notepad sessions here! I spent hours and hours in Notepad, with property files and xml files all over my screen. AND THANK GOD FOR GOOGLE!
The easiest thing to get going so far has been Oracle actually. It would have been cool to use Oracle 10g with it's new and easier setup, but I had to use 9.2 for now. The last thing we have to fix now is automatic login into Vignette after a successful authentication against ClearTrust. If anyones interested (guess you're not :) I'll write another entry and let you know how things went... Man! I want to write programs, not configure Java stuff!
EDIT: Now we got automatic (Single Sign On) login into Vignette working! After some digging into readme-files and a couple of property and xml files it runs. Had to configure the realm correctly and specify the HTTP header that ClearTrust use for setting the username of the authenticated user. Cool, the biggest problem now will be to build up a good user and group catalogue structure. This will take a long time because we're going to have lots of portal sites, lots of different roles and need distributed admin for this... :/
One sad thing we notices was that when creating users from Vignette, they ended up properly in the ClearTrust LDAP catalogue, but were marked as private and you couldn't specify a password. Not good. May have to change Vignette config to use read-only mode against the ClearTrust LDAP. Hmmm... Perhaps it's better to move this blog-entry to a new post with a proper Post Title :D
I've finally discovered the power of a good Wiki-web. For certain projects it's a wonderful tool - as a tool for collecting requirements, collecting research data for book or whatever job that involves a large amount of text.
I downloaded and installed OpenWiki (asp/iis) and it runs pretty smooth. Just have to figure out how to upload files to it now :)