WS-Policy, the three-year-old Web services governance specification supported by rival vendors IBM and Microsoft is expected to finally make it into a standards body this week, most likely the W3C according to industry insiders.
WS-Policy provides a framework detailing governance and security policies, such as levels of encryption. But why is this important?
"WS-Policy is one of those good first steps toward qualifying how security and authentication are to be enforced in an SOA environment," said Tony Baer, principal analyst with onStrategies. "While policy is important for any aspect of software or IT infrastructure, it is even more critical in SOAs because of the way that these environments support deployment of composite services on the fly."
This standard and the term policy are hot topics in SOA circles because they potentially bring order to what could quickly become chaos, said Miko Matsumura, vice president of marketing and technology standards at Infravio Inc.
"One of the things SOA and Web services suffers from is the problem of way too many moving parts," he said. "The problem of way too many moving parts is basically a problem of what I call agility without governance or the concept of muscles without skeletons or energy with no structure. These kinds of metaphors convey the idea of something with no constraints."
Borrowing a metaphor from the world of literature and applying it to business computing, Matsumura said, "It's no surprise that the most popular song lyrics and poems are not written in free verse. It tends to follow some constraint model. Meaning is created within the context of constraints. And in fact it turns out that business is conducted in an atmosphere of constraints. And that's a good thing."
In his view, the constraints that come with policy enforcement will ultimately be helpful for developers and especially business analysts working in SOA because the limited options that come with enforcing policies will keep them on a straight and narrow programming path that avoids the problem of creating an application with "way too many moving parts."
A leading SOA architect sees another problem for developers who are working without the benefits of an official policy standard. While waiting for WS-Policy to move from specification to standard, Web services applications are still being hardwired the old fashioned way, says Toufic Boubez, CTO of Layer 7 Technologies Inc., who was an architect of IBM's original SOA foundation .
It's not possible to build true, loosely coupled Web services applications without a policy standard, he argues.
"The policy layer is crucial to loose coupling," he said in explaining why WS-Policy is so important to SOA. The goal of SOA from its inception was to move away from the tightly-coupled technologies such as CORBA, he said. But without a means of abstracting policies that govern how Web services will work together, developers have to code that into their apps the old fashioned way because existing standards, such as WSDL, do not handle policy assertion.
"WSDL can't convey that," Boubez said. "So all the benefits of loose coupling are lost."
With WS-Policy approved as a standard, policies for Web services to work together would operate similarly to the SSL handshake, he said. That would allow developers to concentrate on the business problem their application is designed to solve, such as sharing inventory data with vendors and suppliers.
Jason Bloomberg, senior analyst with ZapThink LLC., agreed with Boubez in principle but has some reservations about what WS-Policy will accomplish.
"Toufic is absolutely right that companies need a governance framework to guide the creation, communication, and enforcement of policies in order to be successful with SOA," Bloomberg said. "However, WS-Policy is neither necessary nor sufficient for achieving this goal. It is one of a set of policy-related specs that, when broadly implemented, will eventually improve interoperability of policy implementations. But that's a while off."
Bloomberg listed several other specifications that will need to be implemented along with WS-Policy including:
- WS-PolicyAttachment, described in the March 2006 update of the WS-Policy specification as defining "two general-purpose mechanisms for associating such policies with the subjects to which they apply. This specification also defines how these general-purpose mechanisms can be used to associate WS-Policy with WSDL and UDDI descriptions."
- WS-PolicyAssertions, described in the March 2006 update of the WS-Policy specification as "a building block that is used in conjunction with other Web service and application-specific protocols to accommodate a wide variety of policy exchange models."
Boubez agreed that policy assertions are important to the specification because it can be used to construct policy information that is client independent and thus make possible the loose coupling required for true SOA.
Going beyond WS-Policy, Matsumura said the use of proven patterns and best practices may go as far as any specification or standard in helping developers get workable policies into their applications.