XML and Web Services In The News - 11 July 2005

SOA Adventures, Part 2: Solve Challenges of Complex Business Transactions with the Active Object Model
Mark Davydov, IBM developerWorks
Broadly speaking, activity-centered services are intended for carrying out a single activity that typically involves a number of different applications (or systems) and a lot of specific functionality and data presentation within each application. One of the main characteristics of active-centered services is that they provide execution guarantees, which are not limited to traditional ACID (atomicity, consistency, isolation, and durability) properties and might include timely constraints, state access flexibility, and multi-interaction transaction executions. Those guarantees might not only vary between applications, but also between transactions within an application, depending on properties of the transactional task, user preferences, and available system resources. Activity-centered services are foundational building blocks for supporting complex business transactions. This article describes how to use the active object model in Service-Oriented Architecture (SOA) as a primary means of designing so-called activity- centered services -- services explicitly geared towards handling well-defined tasks or processes, and that do their job by maintaining the computational state of all applications the specific activity uses.
See also: SOA references

App Integration Reflects a New Ideal
Alan Radding, Application Development Trends
App integration once meant painstaking point-to-point system integration with code specially written to enable one app to tap the processing of another and to share information between the two. Today, an organization faced with the need to automate manual processes and integrate systems has a host of options to choose from. XML, Web services, SOA and ESB have emerged as the new buzzwords of EAI, along with integration technologies such as business process management and enterprise content management. Web services streamline the process by which one system can request and receive processing and data from another system. Messaging service buses expedite the flow of information through the organization and make it simple for systems to grab the information they need while guaranteeing delivery. A variety of middleware transforms and translates system calls and data as needed. BPM tools and ECMsystems also facilitate integration, as do Web portals, which can simplify integration and make it transparent to systems and users. Even the conventional middleware, EAI and message queuing vendors, such as Tibco, SeeBeyond, BEA Systems and webMethods are adopting the latest technology advances and incorporating them into their toolsets.

McAfee Shares Internal Web-Services Security Tool
Elizabeth Millard, eWEEK
Security firm McAfee is offering one of its internal tools to the enterprise community for free, with the aim of increasing Web services security and protection. Coming out of the company's security services group, Foundstone Professional Services, the WSDigger is an open-source tool that helps identify vulnerabilities in Web services implementations. The tool is unique, said Foundstone Inc. consulting director Mark Curphey, because it finds holes and flaws in implementations that have already been built. Other security tools focus more intently on providing protections while implementations are under development. WSDigger was created as a way for Foundstone and McAfee Inc. users to do security testing on their own Web services projects, and the company decided to release the testing framework as a way to help the larger community. WSDigger contains sample attack plug-ins for SQL injection, cross-site scripting, and X-PATH injection attacks. According to McAfee, it takes a "black box penetration testing" approach, which imitates a malicious user. The test does not draw on internal code, and operates as a Web service client. Those who download the testing framework are also encouraged to customize the tool for tailored applications and share the enhanced tools with other users.

Federated Identity Start-Up Reveals SAML 2.0 Beta
Tony Baer, Computer Business Review
An often-quoted maxim is that the nice thing about standards is that there are so many to choose from. Nowhere is that truer than in the area of federated identity, where you have WS-Federation and WS-Trust (also known as WS-*, pronounced "WS-Star") going up against SAML and Liberty Alliance. While there has been some consolidation, with Liberty and OASIS getting together to produce the now-approved SAML 2.0 specification, at this point, it appears that the WS-* is not going away any time soon. Ping Identity Corp is stepping into the breach, announcing an early adopter beta program of a product that supports and translates SAML 2.0 tokens that is scheduled for release in Q1 next year. Ping is one of a number of players, from Reactivity to Forum, Sarvega, SOA Software, IBM, Microsoft and others, that have or are currently readying products that handle multiple tokens and security protocols. Next week, Ping will demonstrate translation of SAML 1.1 and the Kerberos tokens heavily used in Microsoft products at the Burton Group's annual Catalyst conference. Additionally, they are starting work on SAML 2.0 capability for at least one customer engagement. According to Eric Norlin, vice president of marketing for Ping, regardless of whether both factions come together or not, there is need for software that translates tokens because there are multiple varieties out there. In addition to tokens from legacy systems such as IBM's 30-year-old RACF, other common variations include ACF, X.509 certificates, and XACML policies.
See also: XACML references

The BBC Seeks Escape from Patent Minefield
Neil McAllister, InfoWorld
New technologies may be the last hope for a licensing-free future for multimedia. [Although] open standards and open formats are becoming the preferred means of delivering digital documents, the picture isn't so rosy for multimedia. The BBC wants to change that. Supported by public funds, the BBC is committed to providing free and open access to audio and video media to a wide audience. But even for the largest broadcast media organization in the United Kingdom, breaking the grip of proprietary digital media standards isn't going to be easy. Anybody is free to license MPEG standards -- just as long as they pay the fees. The obvious losers in that kind of deal are open source projects, which often are but loosely knit groups of individuals in no position to pay any kind of fee, no matter how "reasonable." But potential users of those projects lose, as well. Consider the growing number of people in the developing world who rely on open source for all their computing needs, and you'll see how patent-encumbered technologies do not pose a long-term solution for a media organization with a mission similar to the BBC's. To push past this encumbrance, the BBC took an unorthodox step: It decided to develop its own multimedia codec. Called Dirac, the new format is fully open source, supports high-resolution video, and promises a twofold increase in compression compared with current MPEG standards at the same video quality.

Bottom Gear Image