Web Services Still at an Impasse

Apr 15, 2005

Clint Boulton

Fifteen vendors with a common interest in distributed computing will show how they've been able to get the Web services security standard to work with each other's products next week.

IBM, Microsoft, BEA Systems and others are participating in the demonstration at Gartner's Application Integration and Web Services Summit next Wednesday. The demo will celebrate the one-year anniversary of WS-Security, a blueprint designed by OASIS members to ensure the secure exchange of messages between applications.

Software built on WS-Security could enable single sign-on Web services transactions, allowing users to shop or exchange info across different devices.

But as the industry trudges toward standards convergence, there remains some issues that need to be resolved among groups who want to establish Web services in different ways.

Tony Nadalin, lead author of WS-Security and a distinguished engineer and chief software architect for IBM, said that while great strides on crucial aspects of Web services have been made, there is some overlap that could impact developers and users.

For example, Nadalin said the identity Web services framework (ID-WSF) of the Liberty Alliance Project (LAP) has certain elements that duplicate efforts with the World Wide Web Consortium's (W3C) WS-Addressing spec.

ID-WSF has its own addressing spec, which could cause some problems, said Nadalin, who, as IBM's representative to the LAP, is familiar with the work of Liberty.

Moreover, Nadalin said ID-WSF is not compliant with the Basic Profile for Web services written by the Web Services Interoperability (WS-I) organization, of which IBM is a significant player. The problem is a technical one.

"The headers and bodies aren't compliant, and this is going to create some grief or worries with people that have tooling that generates WS-I compliant Web services," Nadalin said.

The engineer said Liberty places the timeout header as a major SOAP header. Timeout headers specify how long a request has before it expires. Taken in the context of WS-I's basic profile, Nadalin said ID-WSF headers can be confusing.

"The problem here is that I don't know what that timeout would apply to," Nadalin said. "In their environment, I understand that but when they start to compose with normal Web services, it's very hard to determine what that timeout was meant to be.

Nadalin continued: "Was that a timeout in the sense of reliable messaging? Do I time-out the whole message or just the content of the body? It can be very hard to apply what Liberty has done in their Web services to what I would call WS-I-compliant Web services."

Liberty officials disagreed with the confluence problem. Liberty Vice President Timo Skytta said several LAP members have implemented Liberty ID-WSF specs in their products and firmly believe their implementations to be compliant to WS-I Basic Profile.

"Regarding the Timeout SOAP Header Block used within Liberty ID-WSF, one needs to note that it is optional to implement, and it applies, as stated on the spec, to the request being made, i.e. to the processing of the specific transaction data, not to SOAP or HTTP layers," said Skytta, who is also a director of Web services at mobile phone giant Nokia.

Skytta said it was added to the specs as one of the requirements from Liberty customer members who felt that the timeout support provided by WS-I Basic Profile didn't allow them to address the business transaction.

To be clear, Nadalin isn't accusing Liberty of not playing ball.

He complimented Liberty for endorsing the WS-Security standard he helped bring to the fore. Liberty also just announced that it is extending its interoperability testing program to include SAML 2.0, with its first testing event planned for July 2005.

It's just an issue of convergence that needs to work itself out if the industry wants to progress along the long, winding Web services path.

"What we're trying to do is see where we can get compatibility or commonality of the existing sets of Web services specs," Nadalin said.

Technical disparities are old hat and legion for Web services, a space research firms like ZapThink estimates will balloon to reach several billion dollars over the next few years.

This is a salient reason why IBM, Microsoft and BEA, along with Computer Associates, DataPower, Oracle, Reactivity, Panacea, RSA Security, Sarvega, Sun Microsystems, Systinet, TIBCO and Verisign, will show cooperation on WS-Security next week.

At the event, each vendor will show how it was able to write software based on WS-Security that allows users to encrypt, digitally sign or decrypt Web services messages. Many of these companies have demonstrated such interoperability before, but never on such a broad level.

Nadalin said WS-Security up tick is big among XML firewall vendors, such as Reactivity, DataPower and Layer 7.

This article appears courtesy of


0 Comments (click to add your comment)
Comment and Contribute

Your comment has been submitted and is pending approval.



 (click to add your comment)

Comment and Contribute

Your name/nickname

Your email


(Maximum characters: 1200). You have characters left.