Out of the Frying Pan
Don Box: I have to say that the authentication story blows chunks. Having to hand-roll yet another “negotiate session key/sign URL” library for J. Random Facebook/Flickr/GData clone doesn’t scale. Personally, my dream stack would be ubiquitous WS-Security/WS-Trust over HTTP GET and POST and tossing out WSDL
From page 1 of WS-Security (emphasis added):
This specification describes enhancements to SOAP messaging to provide message integrity and confidentiality. The specified mechanisms can be used to accommodate a wide variety of security models and encryption technologies.
This specification also provides a general-purpose mechanism for associating security tokens with message content. No specific type of security token is required, the specification is designed to be extensible (i.e.. support multiple security token formats). For example, a client might provide one format for proof of identity and provide another format for proof that they have a particular business certification.
Additionally, this specification describes how to encode binary security tokens, a framework for XML-based tokens, and how to include opaque encrypted keys. It also includes extensibility mechanisms that can be used to further describe the characteristics of the tokens that are included with a message.
I’d suggest that the root problem here has nothing to to with HTTP or SOAP, but rather that the owners and operators of properties such as Facebook, Flickr, and GData have vested interests that need to be considered.
Is security is the killer feature of WS-*?
I said something along these lines at QCon last week and got some strange looks. I’m happy to see that Don Box is saying its quite important as well. People may takes digs at the complexity of the WS-* specs, but security is damn complex and...Excerpt from netzooid at
Having one's cake and eating it too
Sam has an interesting response to my bitching about authentication . “I’d suggest that the root problem here has nothing to to with HTTP or SOAP, but rather that the owners and operators of properties such as Facebook, Flickr, and...Excerpt from Don Box's Spoutlet at
Touche.
The “ideal world” I was describing was one with a mechanized authentication story that works and is ubiquitous.
I’ll admit that while WS-Security aspires to this, ubiquity hasn’t happened yet.
Posted by Don Box atIt isn’t a matter of ubiquity. As I left in a comment on your blog (which apparently doesn’t support preview or html):
Posted by Sam Ruby at“Out of the box”, exactly what security mechanisms does WS-Security provide?
exactly what security mechanisms does WS-Security provide?
You probably saw this presentation before, but there’s an especially apt slide in it that reads: “[WS-Security] is not ready to use. It’s a security protocol construction kit.”
Posted by Pete Lacey atDon Box: I have to say that the authentication story blows chunks. Having to hand-roll yet another “negotiate session key/sign URL” library for J. Random Facebook/Flickr/GData clone doesn’t scale. Personally, my dream stack would...
Excerpt from Megite Technology News: What's Happening Right Now at
Don Box: I have to say that the authentication story blows chunks. Having to hand-roll yet another “negotiate session key/sign URL” library for J. Random Facebook/Flickr/GData clone doesn’t scale. Personally, my dream stack would...
Excerpt from Megite Technology News: What's Happening Right Now at
we need message level encryption and integrity mechanisms - this is what we get from wsse. what we are doing today (ssl and a prayer) isn’t working - 200 million breached records can’t be wrong. privacyrights.org but hey its not the rest developers data which gets breached so who cares right?
Posted by gunnar at
Don Box on Auth
I found it hilarious that Don moans about HTTP auth and then points to WS-Security as the way forward, I just can’t decide if Don was trying to be funny, or is actually serious. (in which case he’s been in Redmond too long), looks like I’m not the...Excerpt from Simon Fell at
wrt to your emphasis on “No specific type of security token is required, the specification is designed to be extensible”
This is a very good thing. wsse supports Kerberos tickets (such as you get from AD), SAML, and X.509 certs. We don’t want/need developers reinventing these things (poorly), what we need is a way to move these claims around in a system. So let the developer use their existing directory, CA, etc. Anyhow, its nice to see the Atom folks learn from wsse, but what they have done so far is the very tip of the iceberg.
Interestingly enough, this is the easy part of the problem as far as I am concerned, the harder problem that no one has a good solution for today is the authZ piece. The closest thing is probably XACML, but it is early days. authZ is harder because the vendors aren’t motivated to solve this problem (like they are with Identity). And as we have seen, the open source communities are very content to have weak security models. So that really only leaves architects in big companies to bash vendors on the head and hope they do something about it. See McGovern:
In the meantime, among all these petty SOA/Rest quarrels, the breached records pile up.
Posted by Gunnar atAnyhow, its nice to see the Atom folks learn from wsse
I think a more accurate statement would be that Atom and WS-Security build upon a common base.
Posted by Sam Ruby atOut Of The Frying Pan and Eating the Cake
Don Box says : “Personally, my dream stack would be ubiquitous WS -Security/ WS -Trust over HTTP GET and POST and tossing out WSDL in favor of doing direct XML programming against payloads from VB9 (or XQuery ), but hey, I have unusual tastes.” In...Excerpt from Musings about web services at
Links - 11.19.2007
BPEL++ You have to wonder if some people enjoy endless upgrade cycles and shiny new complicated specs. SOA 3.0? Come on, that’s insane. You can’t go to the next version before the current version is even deployed! Out of the Frying Pan Another old...Excerpt from discipline and punish at
REST for developers - it's only a beginning
In my last post I asked Steve Vinoski some questions about REST and WebServices. I’d like to comment on the questions a bit more. First though I’d like to thank Steve for taking my questions the way he did and providing interesting answers ,...Excerpt from Musings about web services at
OpenID + OAuth is the Final Nail in the Coffin of the WS-* vs. REST Discussion
Although the choice of whether to pick between WS-* and REST when deciding to build services on the Web seems like a foregone conclusion, there seems to be one or two arguments on the WS-* that refuse to die. You can find a them in the notes...Excerpt from Dare Obasanjo aka Carnage4Life at