<soaprpc/>

Web service alphabet soup

Some time back, I was preparing a document on Web service standards- specifically security related ones- and was overwhelmed by the sheer number of them. I wrote up this rough guide to the Web services 'alphabet soup' to help me get a big picture of what the standards are, and where they fit in.

Basic standards

• SOAP (Simple Object Access Protocol) defines the format of messages on the 'wire'.
• WSDL (Web Services Description Language) is used to describe the programmatic interface exposed by a Web Service, and (optionally) the URL for accessing it.
• UDDI (Universal Description, Discovery and Integration) allows for discovery of not just Web services, but also supports a more general 'yellow page' lookup for companies and services that they provide.
• WS-Inspection is a lightweight discovery standard being pushed by Microsoft and IBM that merges their earlier efforts- IBM's Advertisement and Discovery of Services (ADS) and Microsoft's Discovery of Web Services (DISCO).

The discovery standards haven't (as of date) had a lot of traction. SOAP & WSDL on the other hand, are widely in use.

Web service Composition standards

• BPEL4WS (Business Process Execution Language for Web Services) consolidates Microsoft's XLANG and IBM's Web Services Flow Language (WSFL)
  • WS-Coordination is used along with BPEL4WS for coordinating services
  • WS-AtomicTransaction defines the atomic transaction coordination type used by WS-Coordination specification.
• WSCI (Web Service Choreography Interface)- Sun's alternative to BPEL4WS. It is now a W3C Note, however BPEL4WS has had more acceptance in the market.
• BPML (Business Process Modeling Language)- been around longer than the other standards, but doesn't have backing from any major enterprise software company. Ok, BEA is listed as a member, BEA is also an author for BPEL4WS and WSCI. Go figure!

These three competing standards allow for workflow-type applications with Web services.

Web Service QoS standards

• WS-Transaction defines a transaction model for Web Services.
• WS-ReliableMessaging deals with reliably delivery of messages between Web Services and client applications.

Security Standards

Security for Web services can be achieved at two levels- either at the 'wire' level or at an XML level. Wire level security, also called Transport layer security uses existing Internet protocols to secure the traffic between the Web Service and the client application. For example you can use:

• HTTP based authentication (HTTP BASIC, HTTP Digest, HTTP CLIENT-CERT)
• SSL for encrypting data
• Either a custom access control mechanism, or a J2EE/Realm based access control

Wire level security is fine so long you have one Web Service provider and a simple security policy. However, things become difficult if you have a number of Web Service providers, or a document being passed around by different services (such as in a workflow). This is because transport layer security mechanisms only secure the information exchange between two application endpoints: they do not provide for an end-to-end security model.

In XML level security, also called Message level security, the security information and access policies are bundled in the message itself. There is a long list of standards in this space, though the ones that have some market acceptance at the moment are XML-Encryption, XML-Signature (also used as a part of WS-Security) and SAML.

• The basic Message level security standards
  • XML-Signature is an XML syntax for digital signatures
  • XML-Encryption specifies how an XML can be used to represent a digitally encrypted web resource, including another XML document
  • XKMS is a protocol for distributing and registering public keys, and is intended to be used along with XML-Signature.
  • WS-Security is a protocol neutral mechanism for securing SOAP messages. It builds upon XML-Signature and XML-Encryption, and also specifies how security tokens can be associated with messages.
• Security token standards

These standards aim to enable interoperable authentication and authorization across systems. This is done by having security tokens bundled along with a SOAP message, and these tokens can be in any format, such as:

• X.509 certificates
• Kerberos tickets
• SAML assertions

X.509 and Kerberos have been around for a long time- they pre-date Web Services. SAML (Security Assertion Markup Language ) is however getting a lot of commercial attention, and has a number of implementations. There is another standard with some overlap to SAML called XACML (eXtensible Access Control Markup Language), which, as the name suggests, is an access control rule language.

• Identity
  • Passport from Microsoft
  • Liberty from a consortium started by Sun

  Liberty and Passport try to solve the same problem (single sign on, identity) but approach it differently. Liberty has a federated architecture and is based on SAML. It consists of a set of specifications and depends on vendors to provide implementations. Passport, on the other hand, is a centralized service run by Microsoft, and is implemented in Microsoft’s Hotmail, Messenger and ISP services.

• Federation and trust related
  • WS-Federation defines mechanisms that are used to "enable identity, account, attribute, authentication, and authorization federation across different trust realms".
  • WS-Trust (Web Services Trust Language) is an extension to WS-Security that specifies how security tokens are exchanged and trust established.
• Policy management standards
  • WS-Policy (Web Services Policy Framework) is a model for describing the policies of a Web service. It can be extended to describe service requirements, preferences, and capabilities.
  • WS-SecurityPolicy (Web Services Security Policy) is the WS-Policy Policy assertions that apply to WS-Security
• The other security standards (the ones that couldn't classify!)
• WS-SecureConversation builds on WS-Security and defines how security contexts are establishing and shared, and how session keys can be derived from these contexts.
• WS-Authorization will define how Web Services manage authorization data and policies
• XrML (eXtensible rights Markup Language) is a language for expressing rights and conditions associated with digital content.
• WS-Privacy will define how Web Services state and implement privacy practices.

Grid computing related standards

Some new standards that aim to integrate Web Services and Grid computing:

• WS-Notification supports a publish-subscribe notification mechanism using Web Services.
• WS-ResourceFramework is a group of specifications for accessing stateful resources using Web services.
• WS-Eventing provides event notification. This is supported by Microsoft, among others, and has overlap with the IBM supported WS-Notification and WS-ResourceFramework standards.

In a later post I'll talk about my experiences with some of these standards, and the implementations I tried out.

I did an interview way back in July 2002 that talks about some of these protocols- somewhat dated, but interesting if you want to see what was around back then.

Update [May 03, 2004]:

I found an article at developerWorks that gives a very good overview of Web service specifications - at least those with support from IBM & Microsoft.

Posted by vivek at March 17, 2004 09:21 PM | TrackBack