JAX London Autumn Edition 2010
Thilo Frotscher On WS-Security
The second ever JAX London conference is getting closer, and those looking to take advantage of our Early Bird discount will have to move fast! At the conference, independent Software Architect and Trainer Thilo Frotscher will deliver two sessions on web service security, and a full day tutorial! JAXenter caught up with Thilo Frotscher, to find out what JAX London attendees can look forward to.......
JAXenter: At JAX London you will deliver a session on web service security. What, in your opinion, are the areas where the popular WS-Security standard is limited?
Thilo Frotscher: WS-Security provides a standardized mechanism to implement common security requirements. For example, it can be used to encrypt your communication or to send and validate digital signatures. It also allows to include a variety of security tokens into your messages, ranging from username tokens to SAML or Kerberos tokens.
So WS-Security offers a lot of base functionality. While this is sufficient for many scenarios, it's not for others. For example, some organisations would like to implement security as a service, where there is a dedicated service that handles certain security related functionality. This could be a token services that publishes, validates and renews security tokens. While WS-Security allows to include such tokens into your messages, it does not provide a standardized way to communicate with a token service. If you want to implement such an architecture, additional protocols are needed that build on top of WS-Security.
Another limitation is related to encrypted communication, where WS-Security typically creates an individual secret key for every single message that is sent. In scenarios where two communication partners exchange a large number of messages, this is not very efficient. Instead, it'd be better to establish a single security context for the entire communication.
JAXenter: How does the WS-SecureConversation standard extend WS-Security?
Thilo Frotscher: WS-SecureConversation is the standard that allows exactly that: to establish a security context for a communication.
JAXenter: Which 'advanced' Aspects of service security will you touch upon in this session?
Thilo Frotscher: We will talk about advanced topics like the ones mentioned above and how protocols like WS-Trust or WS-SecureConversation can be used to implement those scenarios. Another scenario that is becoming more common is a single sign-on mechanism for service clients. We'll also talk about available implementations for these advanced security standards and about their interoperability, of course.
JAXenter: You are also running a hands-on tutorial on developing secure web service applications, what can attendees hope to learn from this tutorial?
Thilo Frotscher: This will be a very practical workshop with many exercises.
We'll implement a secure service (and client), applying many best practices along the way. Attendees will learn about different development approaches, how to test services during development, and how to make sure that services are loosely coupled. All in one day. The workshop will be a good opportunity to pick up many tips and tricks gathered in countless projects.
Early Bird registration ends 13th August, 2010!