This issue of XML Daily Newslink is sponsored by:
SAP AG http://www.sap.com
- Public Review for WS-ReliableMessaging, WS-RM Policy, WS-MakeConnection
- Ten Predictions for XML in 2007
- BEA WebLogic 10 Preview Gets Java Certified
- Sun Pairs Unix with Open-Source Solaris + AMP Stack: SAMP
- An Integrated Approach to Federated Identity and Privilege Management in Open Systems
- Dynamic Symmetric Key Provisioning Protocol
- Trucking Firm Turns to RFID to Fill Black Hole
Public Review for WS-ReliableMessaging, WS-RM Policy, WS-MakeConnection
WS-RX TC Members, Public Review Drafts
Members of the OASIS Web Services Reliable Exchange (WS-RX) TC have released a specification set for 15-day public review. WS-RX TC Chairs are Paul Fremantle and Sanjay Patil; the document editors include Doug Davis (IBM), Anish Karmarkar (Oracle), Gilbert Pilz (BEA), Steve Winkler (SAP) and Umit Yalcinalp (SAP).  "Web Services Reliable Messaging (WS-ReliableMessaging) 1.1" describes a protocol that allows messages to be transferred reliably between nodes implementing this protocol in the presence of software component, system, or network failures. The primary goal of the specification is to create a modular mechanism for reliable transfer of messages. It defines a messaging protocol to identify, track, and manage the reliable transfer of messages between a source and a destination. It also defines a SOAP binding that is required for interoperability, and additional bindings can be defined.  The "Web Services ReliableMessaging Policy Assertion (WS-RM Policy) 1.1" specification defines a domain-specific policy assertion for reliable messaging for use with WS-Policy and WS-ReliableMessaging.  "Web Services Make Connection (WS-MakeConnection) 1.0" was created by extracting content from Section 10 of an earlier draft of the principal WS-RM specification. The primary goal of WS-MakeConnection is to create a mechanism for the transfer of messages between two endpoints when the sending endpoint is unable to initiate a new connection to the receiving endpoint. It defines a mechanism to uniquely identify non-addressable endpoints, and a mechanism by which messages destined for those endpoints can be delivered. This mechanism is extensible allowing additional functionality, such as security, to be tightly integrated. WS-MakeConnection integrates with and complements the WS-ReliableMessaging (WS-RM), WS-Security, WS-Policy, and other Web services specifications. Combined, these allow for a broad range of reliable, secure messaging options. By using the XML, SOAP, and WSDL extensibility models, these WS* specifications are designed to be composed with each other to provide a rich Web services environment.
See also: WS-MakeConnection
Ten Predictions for XML in 2007
Elliotte Rusty Harold, IBM developerWorks
2007 is shaping up to be the most exciting year since the community drove off the XML highway into the Web services swamp half a decade ago. XQuery, Atom, Atom Publishing Protocol (APP), XProc, and GRRDL are all promising new power. If I had to choose one big story for next year, it would be the Atom Publishing Protocol (APP). APP started out as a standard way to post blog entries, but it's turning into much, much more. APP and Atom stand ready to do for Web authoring what the Hypertext Transfer Protocol (HTTP) and Hypertext Markup Language (HTML) did for Web browsing. Tim Berners-Lee always meant the Web to be a read-write medium, but it didn't work out that way. Only the publishing/reading half of the system has been in place for the last 15 years. Writing happened using severely limited HTML forms or non-HTTP methods like File Transfer Protocol (FTP). APP defines a standard means of publishing new content that all servers can implement. Independent software vendors can write their own authoring tools that talk to APP services on the different servers. You'll finally be able to use full-blown editors like Word or Emacs to write Web content, rather than the limited tools you find in a browser. Uploading content can become as simple as saving a file on the local hard drive is today. APP is the first major protocol to be based on Representational State Transfer (REST), the architecture of the Web. Most systems to date have only used a subset of HTTP, usually GET and POST but not PUT or DELETE. Many systems like SOAP and Web-based Distributed Authoring and Versioning (WebDAV) have been actively contradictory to the design of HTTP. APP, by contrast, is working with HTTP rather than against it. If I'm right, and APP takes off, then this will have a couple of important consequences. First, APP will be a nice example that shows people how to design new systems RESTfully. Second, it will force a lot of naive firewalls and proxy servers to be reconfigured to allow PUT and DELETE to pass through, along with POST and GET. This should help eliminate the need to tunnel everything through POST, and make other RESTful apps a lot more plausible.
See also: Atom references
BEA WebLogic 10 Preview Gets Java Certified
Staff Writer, Computer Business Review Online
The second technology preview of BEA Systems Inc's next appserver offering, WebLogic Server 10, is now available for download. More importantly, it's gotten Java EE 5 certified. That puts it in the queue, behind Sun, SAP NetWeaver, and Tmax Soft Inc (a South Korean vendor), which have the only production-certified versions, and Red Hat's JBoss, which has a certified version in beta. The obvious big piece is support of Enterprise Java Beans (EJB) 3.0, which is a kinder, gentler remake of what has been a highly complex distributed component stack. And consistent with what BEA terms its "blended source" strategy, it also natively supports open source deviants, like JPA (Java Persistence API) and JDO (Java Data Objects) that came from the SolarMetric Kodo acquisition. Other highlights of Java EE 5 support include the web services extensions, including Java API for XML-based web services 2.0, and Java Architecture for XML Binding 2.0. Related to that, WebLogic Server 10 adds support of some of the latest OASIS web services security standards, including WS-SecureConversations 1.3; WS-Security 1.1; WS-Security 1.1; WS-SecurityPolicy 1.2 and 1.3; and WS-Trust 1.3.
Sun Pairs Unix with Open-Source Solaris + AMP Stack: SAMP
Paul Krill, InfoWorld
You've heard of LAMP, the popular open-source infrastructure stack featuring the Linux operating system, the Apache Web server, MySQL's database, and the Perl, Python and PHP (Hypertext Preprocessor) scripting languages. Sun plans to spotlight a variation on that mixture, replacing Linux with its own Solaris Unix OS as part of its Solaris + AMP, or SAMP, stack for building Web applications. Featured in Sun's rollout on Tuesday are versions of the open-source AMP components optimized for the Solaris 10 OS plus Sun developer tools. The Solaris + AMP unveiling is part of a multifaceted announcement of free development offerings to debut on Tuesday with Sun hoping to sell support as a way to generate revenues. While stressing that Sun was not trying to compete with LAMP itself, Dan Roberts, Sun's director of developer tools marketing, did note that Sun believes its Solaris platform presents a viable competitor to Linux. Developers can build to Apache, MySQL, and the scripting languages but deploy their applications on Solaris or the open-source variant, OpenSolaris, to get advantages such as reliability and security. The company is featuring the PostgreSQL object-relational database as part of the stack along with MySQL. Sun tools and other open-source technologies also are included, and step-by-step instructions on deploying the stack are offered. In the Solaris Express, Developer Edition, an integrated environment for developing applications for Solaris, Java, and Web 2.0 is featured, and a simplified install mechanism is part of the package. Also included is an improved Gnome-based desktop and Sun development tools, including Sun Studio 11 and the NetBeans 5.5 IDE. Sun is packaging more than 150 open-source applications with Solaris Express, Developer Edition. The Glassfish application server is featured as well.
See also: the Sun announcement
An Integrated Approach to Federated Identity and Privilege Management
in Open Systems
R. Bhatti, E. Bertino, and A. Ghafoor; Communications of the ACM
Online partnerships depend on federations of not only user identities but also of user entitlements across organizational boundaries... Here, we discuss the shortcomings of federated identity mechanisms and their integration with privilege management mechanisms. We also present an integrated approach to federated identity and privilege management specifically designed for Web-based platforms. A basic requirement our authorization model must satisfy is suitability to Web-based applications. To do so, we chose X-GTRBAC as the access control specification language; it has been shown to be effective in enabling access control in dynamic Web-service applications due to its XML-based modular and flexible context-aware policy specification. The central idea is that the X-GTRBAC system uses credentials supplied by users to assign them to roles, or authentication, subject to assignment constraints. Users might subsequently access resources according to their role memberships, or authorization, subject to access constraints... Our X-GTRBAC-based specification provides one, designed to accept SAML-encoded assertions as a form of credential. Using a SAML profile in the X-GTRBAC system requires a translation from SAML encoding to the X-GTRBAC format, and vice versa, using Extensible Stylesheet Language Transformations, a standard for syntax-oriented XML document transformation. This framework is a novel attempt to address the identity and entitlement federation issues we've discussed here. It integrates two security standards (RBAC and SAML) in order to create an access-management specification for open systems. It complements other efforts in this direction aimed at allowing interoperable access management using standard protocols. Our grammar specification supports federated identity and privilege management while meeting the requirements we've outlined. Future challenges include integrating our specification with existing directory schemes to support property-based credentials, trust negotiation protocols for incremental attribute collection, and state information for anonymous users to ensure proper accountability.
Dynamic Symmetric Key Provisioning Protocol
Mingliang Pei and Salah Machani (eds), IETF Internet Draft
This Internet draft describes a standard client-server protocol that enables a client device to download and install authentication credentials from a provisioning server in a secure and efficient manner. The prime example of such an authentication credential is a shared secret for One-Time-Password (OTP) software token in a device. The protocol is for dynamic provisioning of shared secret to a user device; it is not a bulk provisioning protocol that transfers token records from a provisioning server to an authentication system. This protocol will only support the provisioning of symmetric secret key types. Asymmetric key pair provisioning isn't the purpose of this protocol. The protocol is a web services XML-based protocol with multiple profiles to support lightweight small footprint clients such as smart cards, as well as more advanced device platforms such as USB tokens and PDAs/smart phones. Existing symmetric key delivery protocols are specific to one authentication method, or are proprietary to a particular vendor implementation. The industry needs a simple provisioning protocol standard to enable interoperability across vendors and to provision multiple shared secret types. This work is a joint effort by the members of OATH (Initiative for Open AuTHentication) to specify a protocol that can be freely distributed to the technical community. The authors believe that a common and shared specification will facilitate adoption of two-factor authentication on the Internet by enabling interoperability between commercial and open-source implementations.
See also: OATH and IETF
Trucking Firm Turns to RFID to Fill Black Hole
Marc L. Songini, ComputerWorld
Horizon Lines Inc. has turned to radio frequency identification (RFID) technology to track containers seamlessly from a Seattle distribution center over the sea and land to their final destination in Alaska. While containers can be monitored while in ships and trains, historically, they vanish into black holes when being trucked on highways. Passive RFID tags have no local power source, and must be contacted by readers before they can transmit data, using the reader as a source of energy, and are generally limited to a few feet in range. To overcome the lack of highway readers, the company placed so-called active RFID tags, which use an internal power source to contact readers, on 5100 containers. The active tags have a range of about 300 feet and can be read while moving at speeds of up 75 miles per hour. The active RFID tags used were from Identec Solutions Inc., a U.K.-based maker of RFID systems. Also participating in the pilot was Safeway Inc., a Pleasanton, Calif.-based retail grocer that ships goods to its Alaska stores on Horizon trucks. Horizon officials wouldn't disclose the amount of savings generated by the new process, but noted that it permits a shipper to know the exact location of a load, the time of delivery, and allow it to schedule its operations more precisely and plan for any exceptions, delays or high priority movements. If there are problems with a shipment delivery, such as a truck breakdown, the customer can react accordingly. Horizon would like to tag every container in its entire fleet, creating supply chain visibility all the way from Hawaii, Guam, and Puerto Rico to the continental United States. The Horizon Services Group, he noted is now studying methods for deploying an RFID reader network on the highway system in the continental United States.
See also: RFID readings
XML Daily Newslink and Cover Pages are sponsored by:
|BEA Systems, Inc.||http://www.bea.com|
|Sun Microsystems, Inc.||http://sun.com|
XML Daily Newslink: http://xml.coverpages.org/newsletter.html
Newsletter Archive: http://xml.coverpages.org/newsletterArchive.html
Newsletter subscribe: email@example.com
Newsletter unsubscribe: firstname.lastname@example.org
Newsletter help: email@example.com
Cover Pages: http://xml.coverpages.org/