Welcome!

Francois Lascelles

Subscribe to Francois Lascelles: eMailAlertsEmail Alerts
Get Francois Lascelles via: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Top Stories by Francois Lascelles

Imagine a fresh business relationship between ACME Corporation and Partner. As a result of this relationship, ACME wants to grant Partner limited access to one of its core internal applications. They do this, naturally, by exposing a Web service. Why Identity Federation? Boris (an employee at Partner) sends a SOAP request to the ACME Web service along with some password or proof-of-possession type credentials. Because Boris's identity is managed outside of ACME, those credentials cannot be authenticated using ACME's authentication infrastructure. To circumvent this issue, one could imagine a setup where the ACME Web service authenticates Boris's credentials by connecting to Partner's authentication services. Another alternative might involve some sort of directory replication. These strategies were attempted in the '90s when distributed LDAP references appeared in t... (more)

JSON Schema Validation for RESTful Web Services

In the article "The importance of threat protection for restful web services", I presented a number of content-based threats for XML. When protecting an endpoint from XML based attacks, not only are payloads scanned for code injections, malicious entity declarations and parser attacks, XML documents are actually validated against strict schemas that clearly describe expected document structures. Enforcing this type of compliance at the edge, in a SOA gateway for example, minimizes the risk of attacks of the Web service endpoint. Structure definition languages such as XML Schema ... (more)

REST JSON to SOAP Conversion Tutorial

I often get asked about ‘REST to SOAP’ transformation use cases these days. Using an SOA gateway like SecureSpan to perform this type of transformation at runtime is trivial to setup. With SecureSpan in front of any existing web service (in the DMZ for example), you can virtualize a REST version of this same service. Using an example, here is a description of the steps to perform this conversion. Imagine the geoloc web service for recording geographical locations. It has two methods, one for setting a location and one for getting a location. See below what this would look like i... (more)

SOA Gateway Trends for 2011 and Beyond

It has been fascinating to witness how the use for SOA gateways evolved over time. In 2010, we saw an explosion of market demand for our gateway appliance product. Here are my thoughts for what I expect to see this year and beyond. Recent use cases for these types of devices largely focused on B2B interactions and internal enterprise integration. Many enterprise architects realized the benefits of using the lightweight ESB-in-a-box deployment model and gateway-based integration. I don’t think we’ve hit the peak of this type of use case. I expect the demand for quickly deployed int... (more)

OAuth Client Broker Tooling

In terms of OAuth enterprise tooling, a lot of focus is given to OAuth-enabling APIs exposed by the enterprise itself. Naturally, the demand for this reflects today’s reality where the enterprise is increasingly playing the role of an api provider. However, many enterprise integration use cases involving cloud-based services puts the enterprise in the role of API consumer, rather than provider. And as the number of enterprise applications consuming these external APIs grows, and the number of such external APIs themselves grows, point-to-point OAuth handshakes become problematic.... (more)