I often get asked about ‘REST to SOAP’ transformation use cases these
days. Using an SOA gateway like SecureSpan to perform this type of
transformation at runtime is trivial to setup. With SecureSpan in front of
any existing web service (in the DMZ for example), you can virtualize a REST
version of this same service. Using an example, here is a description of the
steps to perform this conversion.
Imagine the geoloc web service for recording geographical locations. It has
two methods, one for setting a location and one for getting a location. See
below what this would look like in SOAP.
Tokens are at the center of API access control in the Enterprise. Token
management, the process through which the lifecycle of these tokens is
governed emerges as an important aspect of Enterprise API Management.
OAuth access tokens, for example, can have a lot of session information
associated to them:
scope; client id; subscriber id; grant type; associated refresh token; an
SAML assertion or other token the oauth token was mapped from; how often
it’s been used, from where.
While some of this information is created during OAuth handshakes, some of it
continues to evolve througho... (more)
Imagine a fresh business relationship between ACME Corporation and Partner.
As a result of this relationship, ACME wants to grant Partner limited access
to one of its core internal applications. They do this, naturally, by
exposing a Web service.
Why Identity Federation?
Boris (an employee at Partner) sends a SOAP request to the ACME Web service
along with some password or proof-of-possession type credentials. Because
Boris's identity is managed outside of ACME, those credentials cannot be
authenticated using ACME's authentication infrastructure.
To circumvent this issue, one cou... (more)
The WS Secure Conversation specification describes a mechanism letting
multiple parties establish a context (using the WS Trust Request Security
Token standard) and secure subsequent SOAP exchanges. Each WS Secure
Conversation session has an associated shared secret. Instead of using this
shared secret directly to sign and encrypt the conversation's messages,
symmetric keys are derived from the secret itself. Deriving new keys for each
message and different keys for signature and encryption limits the amount of
data that an attacker can analyze in attempting to compromise the con... (more)
As the enterprise is increasingly taking notice of WOA (Web Oriented
Architecture) these days, the need for security guidelines and standards for
RESTful Web services is becoming more pressing. Sure, RESTful Web services
are meant to borrow existing security mechanisms from the web and HTTP Basic
over SSL, when done right, is a great way to accomplish shared-secret based
authentication. Yet, for better or for worse, it is common to find REST API
providers defining their own authentication mechanisms.
Take for example the Amazon S3 REST API’s custom HTTP authentication
scheme. Us... (more)