Imagine a fresh business relationship between ACME Corporation and Partner.
As a result of this relationship, ACME wants to grant Partner limited access
to one of its core internal applications. They do this, naturally, by
exposing a Web service.
Why Identity Federation?
Boris (an employee at Partner) sends a SOAP request to the ACME Web service
along with some password or proof-of-possession type credentials. Because
Boris's identity is managed outside of ACME, those credentials cannot be
authenticated using ACME's authentication infrastructure.
To circumvent this issue, one could imagine a setup where the ACME Web
service authenticates Boris's credentials by connecting to Partner's
authentication services. Another alternative might involve some sort of
directory replication. These strategies were attempted in the '90s when
distributed LDAP references appeared in t... (more)
As the enterprise is increasingly taking notice of WOA (Web Oriented
Architecture) these days, the need for security guidelines and standards for
RESTful Web services is becoming more pressing. Sure, RESTful Web services
are meant to borrow existing security mechanisms from the web and HTTP Basic
over SSL, when done right, is a great way to accomplish shared-secret based
authentication. Yet, for better or for worse, it is common to find REST API
providers defining their own authentication mechanisms.
Take for example the Amazon S3 REST API’s custom HTTP authentication
scheme. Us... (more)
SOA Best Practices Digest
Although certain RESTful web services are of a ‘public’ nature and do not
have specific security requirements such as authentication and authorization,
any service that has an entry point from an untrusted network is subject to
attack and proper threat protection measures are always an essential
RESTful web services are closely aligned to the web itself and as such
inherit all traditional threats from the web. Although network level threats
are well understood and addressed by traditional firewall infrastructure,
RESTful web services typ... (more)
I often get asked about ‘REST to SOAP’ transformation use cases these
days. Using an SOA gateway like SecureSpan to perform this type of
transformation at runtime is trivial to setup. With SecureSpan in front of
any existing web service (in the DMZ for example), you can virtualize a REST
version of this same service. Using an example, here is a description of the
steps to perform this conversion.
Imagine the geoloc web service for recording geographical locations. It has
two methods, one for setting a location and one for getting a location. See
below what this would look like i... (more)
In terms of OAuth enterprise tooling, a lot of focus is given to
OAuth-enabling APIs exposed by the enterprise itself. Naturally, the demand
for this reflects today’s reality where the enterprise is increasingly
playing the role of an api provider. However, many enterprise integration use
cases involving cloud-based services puts the enterprise in the role of API
consumer, rather than provider. And as the number of enterprise applications
consuming these external APIs grows, and the number of such external APIs
themselves grows, point-to-point OAuth handshakes become problematic.... (more)