Has Web services security progressed far enough that it's safe to throw open your Windows?
Reactivity Inc. thinks it's achieved just that with the latest release of its XML operating system, which creates a framework for sharing Kerberos tickets and other security systems between Microsoft Windows applications and the rest of a corporate application stack. To date there's been a Web services security bottleneck created by the inability to share credentials between Windows and other back-end systems.
"Microsoft-based credentials only work if you've got Microsoft at the back end," said Larry Titus, manager of Web services infrastructure at Xerox Corp.
In the version 4.3 release of its XOS product, Reactivity has added support for Integrated Windows Authentication and Microsoft Office Information Bridge Framework, plus Liberty Alliance conformant SAML 2.0. Pooled together it creates a mediation point inside the DMZ where disparate authentication credentials can be mapped to one another.
"We can now pass a Kerberos ticket or other type of credential straight through from Windows to another platform with no re-authentication required," said Andrew Nash, chief technology officer for Reactivity. "The gateway does the transformation."
He added that the support for the Office Information Bridge Framework enabled the XML gateway to tie applications like Microsoft Exchange to other back-end applications.
Nash, a co-author of the proposed WS-Trust specification, said that much of the needed work in the industry centers around resolving these sorts of bottlenecks in order to create a seamless and transparent service-oriented architecture.
"You need to be able to get running now and be able to add new, more complex functionality later with the confidence that your infrastructure can grow with you," he said.
Titus plans on installing XOS 4.3 and believes it will solve some of his Web services security concerns.
"I don't like sending passwords in the messages," he said. "That's not a secure way of doing things. I prefer to drill down and get credentials."
Xerox already has Java connections into a Netegrity Inc. single-sign on directory, but many Microsoft client-side applications can't share those credentials.
"Once we get the gateway in place we'll be able to use more Office Web services features and .NET Web services," Titus said.
In addition to the federated authentication capabilities, Reactivity has also added PKZIP compression capabilities to help handle high traffic messaging environments and a new Java-based software development kit (SDK), which allows users to build business logic into the network.
Nash said the challenge for an XML gateway is far more than just streaming a message from one point to another; it has to be able to instantaneously pass credentials and virus scan attachments. Given the growing size of attachments, sometimes up to 4 GB, Nash said that it creates another potential bottleneck.
"If you have 10 of them arrive in a second you're probably in deep sneakers," he said. "We've built in functionality to help process those sorts of real-life messaging concerns."
The SDK is a first blush attempt at allowing users to code their own rules into their XML networks. Nash expects initial usage to center around functionality like filtering, transformation and routing for XML packets, but he's looking for leaps to follow those babysteps.
"I think you'll start to see some pretty interesting workflows built in the next year to year-and-a-half," he said. "The ability to build your policies into the gateways is an incredibly powerful concept in achieving a loosely-coupled architecture."