Introduction, Integration and Securing Web Services Part 2

  • Article

It is Tuesday morning just one day before Thanksgiving. Leant my friend my car as his was in an accident and just realized the keys to my office were on the key ring. So I am not sitting in a corridor waiting for MS security to let me in. So figured it was a perfect time to write this part 2 of 3 introduction to the work we are doing. I want to get the introduction's out of the way so I can dive deep into Web services and Web services security. So anyway, let me go into detail about another deliverable we are working on:

  1. Web Service Security: Scenarios, Patterns and Implementations - Releasing on December 2nd!  A guide that demystifies web service security. For a full description see: https://blogs.msdn.com/thehoggblog/archive/2005/11.aspx
  2. WS-I Basic Security Profile Reference Implementation - A WSE 3.0 version of the age old classic demonstration of cross platform interoperability. I say age old - because this has been around literally as long as Web services! I exagerate - but there has been a version of this for straight ASMX, and then our team (patterns & practices) took ownership of the WSE 2.0 version - and we are currently working on the WSE 3.0 version. We are also considering working on an Indigo version - but that will only see the light of day if people request it on our workspace (https://practices.gotdotnet.com/projects/wsibsp) as right now I don't have funding to do this officially. Anyway, let me explain a couple of things about the application that I think you will find interesting.
    • Background - The WS-I has a team called the Sample Application Working Group. This group is attended by BEA, IBM, Novell , Oracle, SAP, and of course Microsoft. This team has been working on a design document and testing interoperability of respective implementations of the WS-I Supply Chain Management that was secured according to that design document for probably around 9 months now. This group meets every 4 months or so in person, where we review the status of the design document and test interoperability of our implementations as well as meet with other groups within the WS-I such as the team actually working on the Basic Security Profile and the team responsible for Test Tools.
    • Preview release - In June of this year Microsoft released a preview version of our implementation. This is not an official WS-I version of the application and is only intended to give developers some insight into where the application is going. The application was developed on WSE 2.0 and incorporates a lot of good ideas on how to design your application with interoperability and resilience in mind. This application was tested for interoperability against the vendors that had live endpoints at the time, but due to some recent changes in specifications such as WS-Addressing is probably not likely to interop 100% with other vendors - which is why we are working on the WSE 3.0 version! There is some very good documenation inside this application, so if interop is even remotely interesting to you I would suggest downloading this application and taking a look at the chapters in the PDF on designing resilient web services and the information on interoperability. See https://msdn.microsoft.com/practices/guidetype/RefImp/default.aspx?pull=/library/en-us/dnpag2/html/MSWSIBSP.asp for more information.
    • WSE 3.0 release - We are just in the middle of porting the WSE 2.0 version of the application to WSE 3.0. We hope to have a drop available maybe next week on our GotDotNet workspace (https://practices.gotdotnet.com/projects/wsibsp). We are currently interoperating nicely with many of the other vendors - and I have to say the new programming model in WSE 3.0 is very sweet. At first I was a little anxious because I really liked the extensibility of WSE 2.0's security policy implementation - but I have to admit the learning curve was a little steep - and debugging wasn't that easy. WSE 3.0's model is much simpler - and just as powerful via its support for code based extensibility.
    • Indigo / WCF release - Officially we have nothing planned yet, although a couple of the developers that I work with, Diego and Pablo (who actually work for a software company called Lagash in Argentina) is in the process of porting this to Indigo in their spare time. I would really like to create the official WCF version - but like I said earlier we would need to see a big show of hands on our workspace if people think this would be useful. Our team has a lot of projects that we could work on (mobile, smart client, database, xbox 360 [just kidding]) so we always have to weigh up the costs of doing one project vs another - and your support always helps.
    • Finally - please tell us what you did and didn't like about the WS-I BSP application on our workspace. Because like I said we are in the middle of updating the application for WSE 3.0 - so we can make design changes, and we are at some point early next year going to have to rev the documentation - so we can make changes to the docs! Post feedback to our GotDotNet workspace https://practices.gotdotnet.com/projects/wsibsp.
    • Oh, one other thing. Our Web service securitiy guide has a brief appendix on interoperability for WSE 3.0 as well. So if interop is your thing definitely stay tuned for our release in early December.
  3. Security Token Service Quickstart for WSE 3.0 - A sample demonstrating how to issue and consume SAML v1.1 tokens on WSE 3.0. Stay tuned for more. This will be part 3 of this blog.

Anyway, hope to get another post out tomorrow. If I don't I wish all people in the US a happy thanks giving. I should also mention that I am actually Australian - so this holiday is not one that I grew up with... but we get a full four days off for it - so it must be good.