The Web Services Interoperability Organization (WS-I) seeks to strike a balance between SOAP security and its ability to play well with others.
The new WS-I Basic Security Profile (BSP) 1.0 seeks to add the missing link of interoperability for Web services developers using the OASIS WS-Security standard and Secure Sockets Layer (SSL) technology.
Hailing the profile's publication at a launch event Tuesday, Anne Thomas Manes, vice president and research director Burton Group Inc., said "I think this is a really important profile to have for people to make sure they're designing shareable, interoperable Web services that can interface securely."
Since the millennium, the rap on Web services in general and SOAP in particular was that they were not secure, she recalled. However, she said even before OASIS ratified WS-Security two years ago this month, it was possible to make SOAP secure. Making sure secure SOAP technology was interoperable with heterogeneous systems in a service-oriented architecture (SOA) environment is now a problem that BSP solves.
She said one of the strengths of the profile is that it covers interoperability for WS-Security and SSL because to be on the safe side, she recommends that her clients use both.
The problem of interoperability for SOAP security was not a trivial one, according to Prateek Mishra, director of security standards at Oracle Corp., which contributed to the WS-I profile.
"The challenge was that security technology has literally hundreds of configurations," he explained in an interview following the BSP announcement. "People found that there was quite an issue with interoperability. Between partners using messaging middleware from different vendors it was very hard to interoperate without having a lot of agreements between them. And it's not a simple agreement. These agreements would be literally 15 pages of parameters."
Web services developers using messaging middleware and tools that support BSP will not have to worry about all that paperwork, Mishra said.
Manes said a common misunderstanding about Web services standards is that people think that is the end of the story and all the developer has to do is implement the specification and, presto, everything is hunky dory. But standards that cover a host of use cases and a variety technologies often present the developer with a confusing set of options.
"When you're a developer who is trying to implement a particular specification or trying to use a particular specification within an application, sometimes it's kind of hard to figure out how to interpret the specifics and the options that are supplied by a specification," she said. "Therefore that tends to lead to interoperability challenges."
The WS-I profiles guide developers through the maze of options and help them implement a given standard in an interoperable manner, Manes said. She goes so far as to advise clients that in most cases they should not try to implement a standard until there is a profile available for it. Along with the new security profile, she recommends that developers look at all the WS-I profiles for the current standards.
"The original WS-I profiles, the WS-I Basic Profile, and the SOAP Profile and the Attachments Profile gave you basic information on how to use SOAP 1.1, WSDL 1.1, and UDDI 2.0, and the SOAP with attachments specifications," she said. "It was an enormous godsend to the industry because before we had the WS-I Basic Profile it was very difficult to make these specs interoperate."
Paul Cotton, Basic Security Profile Working Group chair, also recommends that Web services developers read the "Security Challenge, Threats and Counter Measures" document his group developed as their first step in creating BSP.
"This document was the first thing the working group actually did to analyze what the challenges were that could be presented against Web services, how those manifested as actual threats and what set of counter measures existed out in the technology sphere that could actually be used by Web services developers to handle those threats," Cotton said. "This is a very good introduction. Many people that write to me and ask questions about the security profile often find that their general questions are answered by the Security Challenges document."