Francois Lascelles

Subscribe to Francois Lascelles: eMailAlertsEmail Alerts
Get Francois Lascelles via: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Top Stories by Francois Lascelles

In the article "The importance of threat protection for restful web services", I presented a number of content-based threats for XML. When protecting an endpoint from XML based attacks, not only are payloads scanned for code injections, malicious entity declarations and parser attacks, XML documents are actually validated against strict schemas that clearly describe expected document structures. Enforcing this type of compliance at the edge, in a SOA gateway for example, minimizes the risk of attacks of the Web service endpoint. Structure definition languages such as XML Schema Definition (XSD), schematron, XPath are all helpful tools in describing the type of data and structure of XML documents that are expected at runtime. JavaScript Object Notation (JSON) is increasingly being considered as an alternative to XML and already established as the preferred content-typ... (more)

Mobile-friendly federated identity, Part 1 – The social login legacy

If I were to measure the success of a federated identity system, I would consider the following factors: End user experience (UX); How easy it is for a relying party to participate (frictionless); How well it meets security requirements.   I get easily frustrated when subjected to bad user experience regarding user login and SSO but I also recognize apps that get this right. In this first part of a series on the topic of mobile-friendly federated identity, I would like to identify winning patterns associated with the social login trend.   My friend Martin recently introduced me t... (more)


SOA & WOA Magazine on Ulitzer Existing brokered authentication standards such as SAML Web Browser SSO or OpenID accommodate RESTful web services for browser driven use cases. However, what about RESTful service composition patterns where identities need to be propagated across nested service invocations, or any RESTful Web service client that is not browser based for that matter? How should brokered authentication for such RESTful service calls be handled? An interesting example of a RESTful Security Token Service (STS) was described in March 2009 by Pablo Cibraro (aka ‘cibrax’).... (more)

REST JSON to SOAP Conversion Tutorial

I often get asked about ‘REST to SOAP’ transformation use cases these days. Using an SOA gateway like SecureSpan to perform this type of transformation at runtime is trivial to setup. With SecureSpan in front of any existing web service (in the DMZ for example), you can virtualize a REST version of this same service. Using an example, here is a description of the steps to perform this conversion. Imagine the geoloc web service for recording geographical locations. It has two methods, one for setting a location and one for getting a location. See below what this would look like i... (more)

SOA Gateway Trends for 2011 and Beyond

It has been fascinating to witness how the use for SOA gateways evolved over time. In 2010, we saw an explosion of market demand for our gateway appliance product. Here are my thoughts for what I expect to see this year and beyond. Recent use cases for these types of devices largely focused on B2B interactions and internal enterprise integration. Many enterprise architects realized the benefits of using the lightweight ESB-in-a-box deployment model and gateway-based integration. I don’t think we’ve hit the peak of this type of use case. I expect the demand for quickly deployed int... (more)