SOA Best Practices Digest
Although certain RESTful web services are of a ‘public’ nature and do not
have specific security requirements such as authentication and authorization,
any service that has an entry point from an untrusted network is subject to
attack and proper threat protection measures are always an essential
RESTful web services are closely aligned to the web itself and as such
inherit all traditional threats from the web. Although network level threats
are well understood and addressed by traditional firewall infrastructure,
RESTful web services type APIs are also subject to content (or message) level
For example, consider APIs where XML payloads are POSTed and/or PUT from
external requesters. A particularly dangerous threat was uncovered last
summer involving a vulnerability in most XML parsing libraries used at the
time. An... (more)
SOA & WOA Magazine on Ulitzer
Existing brokered authentication standards such as SAML Web Browser SSO or
OpenID accommodate RESTful web services for browser driven use cases.
However, what about RESTful service composition patterns where identities
need to be propagated across nested service invocations, or any RESTful Web
service client that is not browser based for that matter? How should brokered
authentication for such RESTful service calls be handled?
An interesting example of a RESTful Security Token Service (STS) was
described in March 2009 by Pablo Cibraro (aka ‘cibrax’).... (more)
I often get asked about ‘REST to SOAP’ transformation use cases these
days. Using an SOA gateway like SecureSpan to perform this type of
transformation at runtime is trivial to setup. With SecureSpan in front of
any existing web service (in the DMZ for example), you can virtualize a REST
version of this same service. Using an example, here is a description of the
steps to perform this conversion.
Imagine the geoloc web service for recording geographical locations. It has
two methods, one for setting a location and one for getting a location. See
below what this would look like i... (more)
It has been fascinating to witness how the use for SOA gateways evolved over
time. In 2010, we saw an explosion of market demand for our gateway appliance
product. Here are my thoughts for what I expect to see this year and beyond.
Recent use cases for these types of devices largely focused on B2B
interactions and internal enterprise integration. Many enterprise architects
realized the benefits of using the lightweight ESB-in-a-box deployment model
and gateway-based integration. I don’t think we’ve hit the peak of this
type of use case. I expect the demand for quickly deployed int... (more)
Tokens are at the center of API access control in the Enterprise. Token
management, the process through which the lifecycle of these tokens is
governed emerges as an important aspect of Enterprise API Management.
OAuth access tokens, for example, can have a lot of session information
associated to them:
scope; client id; subscriber id; grant type; associated refresh token; an
SAML assertion or other token the oauth token was mapped from; how often
it’s been used, from where.
While some of this information is created during OAuth handshakes, some of it
continues to evolve througho... (more)