Web Services Still at an Impasse

Fifteen vendors with a common interest in distributed computing will show
how they’ve been able to get the Web Services (WS) Security standard to work with
each other’s products next week.

IBM, Microsoft, BEA Systems and others are participating in the
demonstration at Gartner’s Application Integration and Web Services Summit
next Wednesday. The demo will celebrate the one-year anniversary of
WS-Security, a blueprint designed by OASIS members to ensure the secure
exchange of messages between applications.

Software built on WS-Security could enable single sign-on Web services
transactions, allowing users to shop or exchange info
across different devices.

But as the industry trudges toward standards convergence, there remain some
issues that need to be resolved among groups who want to establish Web
services in different ways.

Tony Nadalin, lead author of WS-Security and a distinguished engineer and
chief software architect for IBM, said that while great strides on crucial
aspects of Web services have been made, there is some overlap that could impact developers and users.

For example, Nadalin said the Identity Web Services Framework (ID-WSF) of
the Liberty Alliance Project (LAP) has certain elements that duplicate
efforts with the World Wide Web Consortium’s (W3C) WS-Addressing spec.

ID-WSF has its own addressing spec, which could cause some problems, said
Nadalin, who, as IBM’s representative to the LAP, is familiar with the
work of Liberty.

Moreover, Nadalin said ID-WSF is not compliant with the Basic Profile for
Web services written by the Web Services Interoperability (WS-I)
organization, of which IBM is a significant player. The problem is a
technical one.

“The headers and bodies aren’t compliant, and this is going to create some
grief or worries with people that have tooling that generates WS-I-compliant
Web services,” Nadalin said.

The engineer said Liberty places the timeout header as a major SOAP
header. Timeout headers specify how long a request has before
it expires. Taken in the context of WS-I’s Basic Profile, Nadalin said
ID-WSF headers can be confusing.

“The problem here is that I don’t know what that timeout would apply to,”
he said. “In their environment, I understand that but when they start
to compose with normal Web services, it’s very hard to determine what that
timeout was meant to be.

“Was that a timeout in the sense of reliable messaging?
Do I time-out the whole message or just the content of the body? It can be
very hard to apply what Liberty has done in their Web services to what I
would call WS-I-compliant Web services.”

Liberty officials disagreed with the confluence problem. Liberty Vice
President Timo Skytta said several LAP members have implemented Liberty
ID-WSF specs in their products and firmly believe their implementations to
be compliant to WS-I Basic Profile.

“Regarding the Timeout SOAP Header Block used within Liberty ID-WSF, one
needs to note that it is optional to implement, and it applies, as stated on
the spec, to the request being made, i.e. to the processing of the specific
transaction data, not to SOAP or HTTP layers,” said Skytta, who is also a director of Web services at mobile phone giant Nokia.

Skytta said it was added to the specs as one of the requirements from
Liberty customer members who felt that the timeout support provided by WS-I
Basic Profile didn’t allow them to address the business transaction.

To be clear, Nadalin isn’t accusing Liberty of not playing ball. He
complimented Liberty for endorsing the WS-Security standard he helped bring
to the fore. Liberty also just announced that it is extending its
interoperability testing program to include SAML 2.0 , with its
first testing event planned for July 2005.

It’s just an issue of convergence that needs to work itself out if the
industry wants to progress along the long, winding Web services path.

“What we’re trying to do is see where we can get compatibility or
commonality of the existing sets of Web services specs,” Nadalin said.

Technical disparities are old hat and legion for Web services, a space
research firms like ZapThink estimates will balloon to reach several billion
dollars over the next few years.

This is a salient reason why IBM, Microsoft and BEA, along with Computer
Associates, DataPower, Oracle, Reactivity, Panacea, RSA Security, Sarvega,
Sun Microsystems, Systinet, TIBCO and Verisign, will show cooperation on
WS-Security next week.

At the Gartner event, each vendor will show how it was able to write software based
on WS-Security that allows users to encrypt, digitally sign or decrypt Web
services messages. Many of these companies have demonstrated such
interoperability before, but never on such a broad level.

Nadalin said WS-Security uptick is big among XML firewall vendors, such as
Reactivity, DataPower and Layer 7.

News Around the Web