While web services security standardization gets hammered out, IBM and Systinet Corp. are allowing organizations to experiment on Java-based Web services with next-generation security systems.
IBMs Web Services Toolkit 3.1, released last month, is the first implementation of the WS-Security (Web Services-Security) specification that IBM co-authored with Microsoft Corp. and VeriSign Inc.
Posted on the companys Alphaworks site (www.alphaworks.ibm.com/tech/webservicestoolkit), Web Services Toolkit can be downloaded for free but can be used only for evaluations, not for production deployment. Typically, IBM folds Web services software released on Alphaworks into its WebSphere application server once the related standards have stabilized.
The tool kit supports Apache Software Foundations Tomcat application server or IBMs WebSphere application server. (A stripped-down version of WebSphere is included in the download; this is the application server that we used.)
Although WS-Security is supported, we would like to see more documentation and example code included.
Systinets upcoming WASP (Web Applications and Services Platform) Secure Identity product implements a distributed authentication server and single-sign-on service for Web services. It uses OASIS, or the Organization for the Advancement of Structured Information Standards, Security Assertion Markup Language as one of its protocols.
WASP Secure Identity is available in beta now (downloadable from www.systinet.com/eap/wasp_card) and is expected to ship in August. It requires Systinets WASP Server 3.0.3 Advanced for Java, Systinets Web services server.
Using WASP Secure Identity, organizations can centralize Web services authentication in a single place and take advantage of user directories they already have. The beta will look up user names and passwords from a database, but the final version will also allow authentication using LDAP and Microsoft Active Directory user directories.
Systinets WASP Server 4.0 will also include significant Web services security enhancements. It will have a much more flexible authentication system that will allow users to identify themselves using HTTP basic or digest authentication, Secure Sockets Layer or Kerberos, or through WASP Secure Identity.
Systinet expects to post a beta of WASP Server 4.0 on its Web site (www.systinet.com) by the end of this month and to ship by the end of next month. Pricing hasnt been announced, and the server wont include WS-Security support, although it is planned for a future version.
- Web Services Secure?
- Web Services Security: A Political Battlefield
- Web Services Edged Forward