Francois Lascelles

Subscribe to Francois Lascelles: eMailAlertsEmail Alerts
Get Francois Lascelles via: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Top Stories by Francois Lascelles

Are you still considering rolling out a major Enterprise Service Bus (ESB) stack — you know, the kind that involves a massive initial investment and takes 8+ months to deploy? This wasteful approach was a major factor in doomed corporate SOA initiatives that were common between 2003 and 2009. During this same period, clever architects ignored large vendor promises and realized that you simply cannot buy your way into an agile enterprise SOA. They instead focused on the tasks at hand, integrating existing IT assets, following SOA principles, using existing tools and adding lightweight strategic and specialized infrastructure to help them along the way. The winning enterprise SOA initiatives are the ones who made sure that the SOA was operational as it evolved. SOA Gateways gained popularity in recent years as a lightweight ESB that can span departmental boundaries. ... (more)

Flexible Identity Federation XML Gateways to The Rescue

Imagine a fresh business relationship between ACME Corporation and Partner. As a result of this relationship, ACME wants to grant Partner limited access to one of its core internal applications. They do this, naturally, by exposing a Web service. Why Identity Federation? Boris (an employee at Partner) sends a SOAP request to the ACME Web service along with some password or proof-of-possession type credentials. Because Boris's identity is managed outside of ACME, those credentials cannot be authenticated using ACME's authentication infrastructure. To circumvent this issue, one cou... (more)

Agile, Decoupled Security for Better Service Orientation

Service orientation is about agility. Without a resulting agility, there is no point of doing SOA. Unfortunately, enterprise SOA infrastructure initiatives sometimes fail in part because its security mechanisms and processes demolish any agility that was built into the SOA itself. This happens when security is an afterthought. Simple barriers are good for security but they can easily become preventers of agility. When security fails to maintain agility, one of following two possible consequences seems to emerge. The first is a failure of the corporate SOA initiative – without ag... (more)

OAuth Token Management

Tokens are at the center of API access control in the Enterprise. Token management, the process through which the lifecycle of these tokens is governed emerges as an important aspect of Enterprise API Management. OAuth access tokens, for example, can have a lot of session information associated to them: scope; client id; subscriber id; grant type; associated refresh token; an SAML assertion or other token the oauth token was mapped from; how often it’s been used, from where. While some of this information is created during OAuth handshakes, some of it continues to evolve througho... (more)

JSON Schema Validation for RESTful Web Services

In the article "The importance of threat protection for restful web services", I presented a number of content-based threats for XML. When protecting an endpoint from XML based attacks, not only are payloads scanned for code injections, malicious entity declarations and parser attacks, XML documents are actually validated against strict schemas that clearly describe expected document structures. Enforcing this type of compliance at the edge, in a SOA gateway for example, minimizes the risk of attacks of the Web service endpoint. Structure definition languages such as XML Schema ... (more)