Thilo Frotscher On WS-Security
JAXenter speaks to independent Software Architect and Trainer Thilo Frotscher, on his forthcoming sessions at JAX London.
The second ever JAX London conference is getting closer, and those
looking to take advantage of our Early Bird discount will have to
move fast! At the conference, independent Software Architect and
Trainer Thilo Frotscher will deliver two sessions on web service
security, and a full day tutorial! JAXenter caught up with Thilo
Frotscher, to find out what JAX London attendees can look forward
JAXenter: At JAX London you will deliver a
session on web service security. What, in your opinion, are the
areas where the popular WS-Security standard is limited?
Thilo Frotscher: WS-Security provides a
standardized mechanism to implement common security requirements.
For example, it can be used to encrypt your communication or to
send and validate digital signatures. It also allows to include a
variety of security tokens into your messages, ranging from
username tokens to SAML or Kerberos tokens.
So WS-Security offers a lot of base functionality. While this is
sufficient for many scenarios, it’s not for others. For example,
some organisations would like to implement security as a service,
where there is a dedicated service that handles certain security
related functionality. This could be a token services that
publishes, validates and renews security tokens. While WS-Security
allows to include such tokens into your messages, it does not
provide a standardized way to communicate with a token service. If
you want to implement such an architecture, additional protocols
are needed that build on top of WS-Security.
Another limitation is related to encrypted communication, where
WS-Security typically creates an individual secret key for every
single message that is sent. In scenarios where two communication
partners exchange a large number of messages, this is not very
efficient. Instead, it’d be better to establish a single security
context for the entire communication.
JAXenter: How does the WS-SecureConversation
standard extend WS-Security?
Thilo Frotscher: WS-SecureConversation is the
standard that allows exactly that: to establish a security context
for a communication.
JAXenter: Which ‘advanced’ Aspects of service
security will you touch upon in this session?
Thilo Frotscher: We will talk about advanced
topics like the ones mentioned above and how protocols like
WS-Trust or WS-SecureConversation can be used to implement those
scenarios. Another scenario that is becoming more common is a
single sign-on mechanism for service clients. We’ll also talk about
available implementations for these advanced security standards and
about their interoperability, of course.
JAXenter: You are also running a hands-on
tutorial on developing secure web service applications, what can
attendees hope to learn from this tutorial?
Thilo Frotscher: This will be a very practical
workshop with many exercises.
We’ll implement a secure service (and client), applying many
best practices along the way. Attendees will learn about different
development approaches, how to test services during development,
and how to make sure that services are loosely coupled. All in one
day. The workshop will be a good opportunity to pick up many tips
and tricks gathered in countless projects.
Bird registration ends 13th August, 2010!