Wednesday, November 22, 2006

Oracle BPEL Process Manager

The following article published in SOA Web Services Journal provides a good glimpse into interoperability issues between Microsoft .NET WCF and Oracle BPEL Process manager. It highlights a couple of interesting items:

1. WS-Addressing is required for endpoint representation especially for long running transactions where the server invokes a callback to the client for sending the response once the processing is complete. Oracle BPEL Process Manager supports a different version on WS-Addressing than Microsoft .NET WCF. So out-of-the-box, the WS-Addressing will not work. Luckily, Oracle BPEL Process Manager supports WS-BPEL extensions (bpelx:headerVariable) that provides the BPEL process access to header information sent by the client. With a handle on header information, the BPEL process manager can manipulate WS-Addressing information and ensure that the the Process executes and that the call-back is compliant with what the .NET WCF client is expecting.

2. When a server is WS-Security enabled and is expecting a User Name Token, an X.509 token, or a SAML assertion in the SOAP Header, the BPEL Process Manager can again use WS-BPEL extensions such as (bplex:inputHeaderVariable) to stuff SOAP Headers with tokens before invoking an endpoint that expects this information.

Really Cool Stuff!

Web Services and SOA
— People sometimes ask what a service-oriented architecture enables today that could not have been done with the older, proprietary integration stacks of the past 5 to 15 years, such as those from Tibco, IBM, or Vitria. One such ability is the greater degree of interoperability between heterogeneous technology stacks that is made possible by the standards SOA is built on, such as Web services and BPEL. Although interoperability is only one facet of the SOA value proposition, it is one that has become increasingly more important, due in large part to the evolving IT environment, merger and acquisition activity, and increased partner connectivity.

Wednesday, November 08, 2006

CSI 33 Orlando

I like the fact that Orlando Airport offers a free wireless connection and that I am able to make this blog entry in front of Terminal 73 while I wait for my flight back to Boston.

CSI 33 is a Computer Security Conference where security professional gather to stay current with IT security related issues. This is my second CSI and just by the attendance at my talk, I can see the rapidly increasing interest amongst Security Professional in testing, discovering and remediating SOA security related issues. CSI 33 had an entire Web Service Track with four sessions around SOA Security and Threat related issues. I chose to present under the Attacks and Countermeasures track and was pleasantly surprised that the room was almost packed for an early morning session. I was also impressed by the level of questions coming in from the audience. One individual from Salesforce.com was focused on security issues for the web services based AppExchange interface with over 400 third party applications developed against their API.

More so than ever, I believe that Web Services & SOA security is something security professionals are not just aware of, but now see as their responsibility. Security Professionals are making great strides in understanding the nuances of web services security and how it is a logical extension of their domain given that they are already dealing with application security issues within HTTP(S), HTML, Cookies and the HTTP header in general. Now they have to go deeper in the SOAP packets and make sure that the back end systems are tested and secured for SOAP-borne vulnerabilities.

Wednesday, November 01, 2006

BEA WebLogic 9.2: Testing SOAP Encryption

One of the most powerful capabilities of application servers such as BEA's new WebLogic 9.2 is message-level security. Such features make WebLogic a natural component for a SOA deployment.

In the article, posted on BEA's dev2dev.bea.com website, the message level encryption capabilities of WebLogic are explored and a step-by-step guide is provided from downloading the server to setting up you first policy.

http://dev2dev.bea.com/pub/a/2006/10/message-level-encryption.html


Give WLS 9.2 a spin, its simple, easy and powerful.