The next JUG-PT (Portuguese Java Users Group) meeting is on January, 29.
The agenda includes a presentation on Maven, which I been using lately with a moderate happiness degree.
Today, while preparing a training session on WCF, I decided to use Eclipse’s Web Services Explorer (WSE) to view and interact with a WCF-based service (using plain WSHttpBinding).
However, after processing the service’s WSDL description, WSE showed a service with an empty binding list.
Knowing that some web services stacks don’t support WSDL descriptions divided into multiple files, I used the FlatWSDL endpoint behavior authored by C. Weyer. This behavior extends WCF’s WSDL exporting mechanism, by inlining in the WSDL document all the schemas directly or indirectly referenced by it.
Unfortunately, the behavior of WSE remained the same: it continued to show a service with no bindings. After inspecting again the generated WSDL, I observed that it was still divided into two WSDL documents: the first one with the <service> and <binding> elements, and the second one (imported by the first) with the remaining WSDL elements and the flattened schemas.
The reason for this division is explained in this post by Kirill Gavrylyuk: this division is used when there are WSDL elements (<service>, <binding>, <portType>, …) in different namespaces.
So, a solution is to put all the elements in the same namespace, which also is described in the same post.
After this change, all the WSDL elements were contained in a single document and WSE finally showed the service binding.
These are the joys of interoperability.
For more that one time, I’ve been asked for a list of references regarding security in SOAP-based services. This time, I’ve decided to blog it so that I can find it/link to it in the future:
While looking for references on Automated Trust Negotiation, I found this paper: M. Winslett, N. Ching, V. Jones, I. Slepchin, “Using digital credentials on the World Wide Web”, Journal of Computer Security, 1997.
The concepts and solutions proposed by this paper, more than ten years ago, have lots of similarities with more recent proposals, such as the Identity Metasystem and related specifications.
1. Access control based on properties of the requestor
Winslett et. al propose this credential-based approach in opposition to the classical identity-based approach
The Identity Metasystem extends the definition of identity to incorporate these properties, renamed as claims:
In the proposal by Winslett et al., properties are transported inside unforgeable and verifiable credentials, such as X.509 certificates. In the Identity Metasystem, this role is played by security tokens, such as SAML assertions, which can be signed (unforgeable) and have cryptographic subject confirmation methods (verifiable).
2. Policies describing credentials requirements
In Winslett et. al.:
In the Identity Metasystem:
3. Client side security agent
In Winslett et. al.:
In the Identity Metasystem, this role is played by the Identity Selector