Mashed Articles

SAML, WS-Security and the Secure Token Service of WS-Trust result in a very interesting mix, where federated identity and integration (web services) come together.
Microsoft has published the free book(let) “A Guide to Claims–based Identity and Access Control“. Obviously the book is focused on Microsoft technology, ADFS (code name Geneva), FAM and WIF in particular. But I found the first 2 chapters very informative and well written.

E.g. interesting to have confirmation that applications need to keep maintaining fine grained (data level) authorizations themselves.

Also intersting to read about the challenge of home realm discovery: how to know to what Identity provider an external user should be redirected to.

One of the main challenges in my opionion with federated identity is the transformation of tokens/claims. Unless there is further standardization (profiles), the integration with each external business partners will require token transformations. There seems to be a general tendency in WS-land not to bother too much with the actual business content of SOAP messages or SAML tokens.

The day when SAML tokens can be used in an interoperable manner to connect to back-end applications such as SAP or Oracle will be a great day. Looking forward to it.

IBM recently published an article on the use of WS-ReliableMessaging between WebSphere 6.1 and Axis2. Most interesting I found the part on the Quality of Service of WS-RM:

• Unmanaged non-persistent tolerates network and remote system failures. You can configure Web service applications to use WS-RM with a default in-memory message store. This QoS requires minimal configuration; it is for a single server only and does not support clusters. Although this QoS allows for the re-sending of messages that are lost in the network, failure of a server results in lost messages. The default is unmanaged non-persistent.
  

• Managed non-persistent tolerates system, network, and remote system failures, but state is discarded after the messaging engine restarts. This in-memory QoS option supports clusters as well as single servers. This option uses a messaging engine to manage the sequence state, and messages are written to disk if memory is low. This QoS allows for the resending of messages that are lost in the network, and can also recover from server failure. However, a failure of the messaging engine causes message loss.

• Managed persistent tolerates system, network, and remote system failures. This QoS for asynchronous Web service invocations is recoverable. This option also uses a messaging engine and message store to manage the sequence state. Messages are persisted at the Web service requester server and at the Web service provider server, and are recoverable if the server fails. Messages that have not been successfully transmitted when a server fails can continue to be transmitted after the server restarts.

QoS of WS-RM is actually not part of any standard. Most implementations of WS-RM are non-persistent, in particular Microsoft WCF and Sun’s Metro. And that is in my opinion the major shortcoming of the WS-* story. The WS-RX committee should have made message persistence part of the WS-RM spec and/or the WS-RM Policy spec.

Anyway, IBM has a persistent implementation of WS-RM. And so has SAP: SAP doesn’t even give you the option and uses persistent WS-RM as its default. Well done by SAP, although the SAP implementation is based on an older version of the WS-RM spec (WS-RM 2005/02.)

What I don’t find are reports of the use of persistent WS-RM between stacks of different vendors, e.g. between IBM and SAP. Maybe we’ll need to have a go ourselves one day?

JMS or Java Message Service is the basis and standard API for asynchronous, reliable messaging.

After 10 years, a new (2nd) edition of the book “Java Message Service” was recently published. Mark Richards reworked the original edition by David Chappell (ex-Sonic, now Oracle) and Richard Manson-Haefel.

Having just skimmed through the book, it did look very intersting. Obviously an extensive treatment of the API (and thus specification). But nice to see code samples based on ActiveMQ, some explanation of character encoding, use of non-JMS clients (.Net, C++), dynamic vs. administered queues, message driven beans (MDB) and Spring and Security.

Some topics that did not seem to be addressed:SOAP over JMS, REST-like access tot JMS providers, persistence mechanisms (database or file based),

Messaging solutions are still the core backbone for many ESB’s and integration solutions. The JMS API remains the standard abstration layer for both Java (ActiveMQ, SonicMQ, OpenMQ, Fiorano) and non-Java based messaging (Tibco , WebSphereMQ, SoftwareAG WebMethods, Oracle AQ) solutions.