Securing Web Services Made Easy
Today, the ubiquity and versatility of the Internet lends a viable and convenient medium for companies to provide services to each other on the Web. Examples abound: purchases of parts and materials, administration and investment of employee 401(k) plans, travel and hotel bookings. The first and foremost requirement for setting up those interactive transactions is security, that is, verifying that the users are who they say they are and determining what they are authorized to do. Often, the setup involves grappling with a host of heterogeneous, complex environments, to say nothing of the rules and policies that govern authority limits, transaction types, and the like.
What enterprises have long clamored for are ways to do two things:
* Building and securing loosely coupled Web services with open standards and technologies
* Making secured services available dynamically between clients and servers
In his presentation at JavaOne today, Pat Patterson, Sun's architect for identity management, first defined the need for federation: the agreements, standards, and technologies that enable the portability of identity and entitlements across autonomous domains. The protocols and components are available from the Liberty Alliance Specifications in the form of the Identity Federation Framework (OASIS SAML 2.0). To apply those standards and implement authentication, you can use the APIs in Sun Java System Access Manager. Also, currently in process is JSR 196, which will add a standard service provider interface with which to integrate authentication mechanism providers with containers on the Java EE platform.
I was impressed to hear about the level of sophistication possible. For example, users can elect to be notified of attempted accesses to their private information and preapprove or reject them before the transactions take place. Balancing the interruptions and gatekeeping with efficiency promises to be an interesting challenge, however.
Following Pat's presentation were two demos by two Sun engineers:
* The underlying code for the interfaces (Malla Simhachalam)
* The GUI capability of an upcoming release of Sun Java Studio Enterprise that enables you to build advanced, loosely coupled Web services and implement federated identity solutions by a few intuitive point-and-clicks (Vidhya Narayanan)
It was simply amazing and magic-like! The bottom line: All developers must do is plug in the business logic with no need to learn or apply the often complex nuances of the protocols and profiles in the standards. Sun Java Studio Enterprise factors in the specification requirements and generates the XML code in the background, ready for purusal any time.
Look for a technical article on this subject on developers.sun.com in the fall. We'll describe the implementation in detail and include code templates.
In a blink, it's been almost four months since I posted this blog. The article promised in the bottom paragraph is now live! Have a look: Building Identity-Enabled Web Services.
October 19, 2005