This issue of XML Daily Newslink is sponsored by:
Sun Microsystems, Inc. http://sun.com
Sun To Provide Commercial Support for Glassfish
Sean Michael Kerner, Internetnews.com
Sun is ramping up for the final release later this year of its next generation Glassfish Java EE application server. Glassfish V2, currently in beta, won't just be for developers but will also be suitable for full production deployments and will be commercially supported by Sun. According to the press release: Sun "announced the beta release of the GlassFish V2, the next major version of the open source Java EE 5 application server and the release of the Sun Web Developer Pack, a toolkit designed for simplifying and enabling advanced rich Internet applications for the Java platform. These releases help enterprises build and deploy SOA and Web 2.0 applications and services leveraging next generation web technologies such as Ajax, Scripting and REST that simplifies development and deployment of scalable, interactive applications. The GlassFish V2 Beta adds all the enterprise features from Sun's Java System Application Server Enterprise Edition, such as clustering, administration, Web Services Interoperability Technology (WSIT) and load balancing to support highly scalable, volume enterprise deployments for SOA and Web 2.0 applications. A few of these features include: (1) WSIT integration: allowing applications to interoperate between Web services hosted on Java and Windows environments. (2) Java Business Integration (JBI): providing native SOA support. (3) NetBeans IDE integration: enabling developers to deploy SOA applications by designing BPEL business processes as well as building and testing composite applications with the NetBeans Enterprise Pack. The Sun Web Developer Pack simplifies access to multiple open source technologies for creating rich Internet-based applications, REST Web services and RSS feeds more rapidly. The availability of the Web 2.0 toolkit reinforces Sun's commitment to provide the developer community with next-generation Java technologies such as Project jMaki, Project Phobos, Dynamic Faces, WADL, ROME, and Atom."
See also: the announcement
WS-Trust 1.3 Approved as an OASIS Standard
Staff, OASIS Announcement
The "WS-Trust 1.3" specification produced by members of the OASIS Web Services Secure Exchange (WS-SX) Technical Committee has been approved as an OASIS Standard. WS-Trust defines extensions that build on WS-Security to provide a framework for requesting and issuing security tokens, and to broker trust relationships. Specification requirements included (1) requesting and obtaining security tokens, and (2) establishing, managing and assessing trust relationshipsThe goal of WS-Trust is to enable applications to construct trusted SOAP message exchanges. This trust is represented through the exchange and brokering of security tokens. This specification provides a protocol agnostic way to issue, renew, and validate these security tokens. The WS-Trust specification is intended to provide a flexible set of mechanisms that can be used to support a range of security protocols; this specification intentionally does not describe explicit fixed security protocols. As with every security protocol, significant efforts must be applied to ensure that specific profiles and message exchanges constructed using WS-Trust are not vulnerable to attacks—or at least that the attacks are understood. Authentication of requests is based on a combination of optional network and transport-provided security and information (claims) proven in the message. Requestors can authenticate recipients using network and transport-provided security, claims proven in messages, and encryption of the request using a key known to the recipient. One way to demonstrate authorized use of a security token is to include a digital signature using the associated secret key (from a proof-of-possession token). This allows a requestor to prove a required set of claims by associating security tokens (e.g., PKIX, X.509 certificates) with the messages. If the requestor does not have the necessary token(s) to prove required claims to a service, it can contact appropriate authorities (as indicated in the service's policy) and request the needed tokens with the proper claims. These "authorities", which we refer to as security token services, may in turn require their own set of claims for authenticating and authorizing the request for security tokens. Security token services form the basis of trust by issuing a range of security tokens that can be used to broker trust relationships between different trust domains. The WS-Trust specification also defines a general mechanism for multi-message exchanges during token acquisition. One example use of this is a challenge-response protocol that is also defined in this specification. This is used by a Web service for additional challenges to a requestor to ensure message freshness and verification of authorized use of a security token.
See also: the announcement
CA Extends Introscope to SOA Management
Antone Gonsalves, InformationWeek
Enterprise software maker CA has introduced software that extends its Wily Introscope application management suite to service-oriented architectures. The Wily SOA Manager can manage transaction performance within an SOA by automatically identifying dependencies among services, monitoring service-based business processes, and alerting IT staff to problems. SOA Manager requires Wily Introscope and supports a number of technology platforms, including Apache Axis, BEA Systems' WebLogic server, IBM's WebSphere application server, SAP's NetWeaver, and the Microsoft .Net Framework. "Features of the new product include: (1) Out-of-the-box SOA and Web Services monitoring: Automatic discovery and monitoring of services and service business units with pre-configured dashboards; (2) Error Detection and Impact Analysis: Monitor the performance and verify the content of cross-machine, heterogeneous transactions and multi-step business processes; (3) Synthetic transaction generation: Enables monitoring of business process performance and availability and across complex applications via Service chains; (4) Service Groups: Automatic discovery of service dependencies and data collection from UDDI repositories. Ability to group services together for centralized configuration of alerting and reporting policies; (5) Customizable reporting: Allows reporting and analysis for Sarbanes-Oxley and ITIL compliance—as well as storage of all live performance data for trend analysis, capacity planning and other essential management tasks."
See also: the announcement
Newsmaker: Gosling Looks Down Sun's Open Road
Sylvia Carr, CNET News.com
Openness breeds trust—and more secure software. That's the message from the man known as the "father of Java," James Gosling. He's still at Sun Microsystems working on software development tools and aligning the strategies for the language and platform he created more than a decade ago. Silicon.com recently caught up with Gosling to discuss Sun's decision to release Java under the GPL (General Public License), whether open source is more secure than proprietary software, how IT departments can cut development costs, and why Microsoft still owns the desktop. Gosling: "[An open-source development model is inherently better for security because it's the only way that you can come to trust a piece of software. Security is a very different kind of thing to test because in security you're not trying to test that the thing you built works. You have to do that but you have to figure out -- are there any cracks? Are there any flaws at the design level? And there aren't automated testing techniques (for that). There's nothing that replaces somebody putting on a black hat and saying, "OK, I'm gonna try to break you." And then they do. Ten years ago people were breaking into Java now and then, but always in a spirit of co-operation. We had a number of people find chinks in the armor which we fixed almost immediately. There's not been a single incident of actual loss due to a security issue. There is no Java antivirus software because it's not necessary. We've had 12 years of intense scrutiny by experts all over the world... when you build tests, the tests are inherently limited by what you think they're going to do to break in. You can build tests to make sure any of the break-in techniques you know of are stopped. And you can sit around scratching your head thinking of new ways to break into things. But you're not going to be anywhere near as creative as thousands of grad students out there adding a chapter to their Ph.D. thesis."
Expressing Untested And Untestable Constraints in Schematron
Rick Jelliffe, O'Reilly Articles
Schematron is an ISO standard schema language for making assertion about the presence or absense of patterns in XML documents. It has fairly widespread use, from publishing to transport to financial and insurance to health systems, but is not supported by major vendors yet. Schematron is aimed at being a general purpose (rather than domain-specific) rules language for expressing both the kinds of complex structural rules that are beyond the reach of XML Schemas schemas and for expressing simple business rules. Most people use my open source XSLT implementations of Schematron 1.5, but versions exist from other developers in Python, Perl, C#, and Java. One of the aims of Schematron was to allow all the constraints in a system to be printed out in bullet list form: literate programming comes to schemas. ISO Schematron allows you to put requirements in free text paragraphs (customer's view), then to put the natural language assertions that test these in bullet point form (the analyst's view), then to arrange and mark these assertions up with the appropirate IDs and XPaths (the devloper's view). This can improve traceability from requirements to analysis to implementation for validators. But one persistant problem has been that there are often business requirements which are untestable. And there is another kind of constraint that is not tested but will be testable later: perhaps you haven't got the XPath skills to create the test, or perhaps it is based on some future event, such as 'All dates in this document must be during the US presidency of G.W.Bush.' So are these kinds of constraints things that can never go into a Schematron schema, or just remain as comment-like paragraphs? What we can do is have dummy assertions, which never fail and provide a place to park these kind of constraints...
See also: Schematron references
Info Sharing Depends on the Filters
Wilson P. Dizard, Government Computer News
The U.S. government's broad-based project to create a technical and policy structure for intelligence and law enforcement information sharing relies heavily on upgrading the filters and gates used to shift data up and down the ladder of classification categories. Ambassador Ted McNamara, program manager for the Information Sharing Environment, said during a recent interview at his Washington office that 'cross-domain solutions are essential to the operation of the ISE.' McNamara's office is pushing a range of information-sharing projects forward, mainly by fostering collaboration among federal, state, local and tribal agencies. For example, McNamara said he had just met with some 700 officials at a conference focusing on the role of intelligence fusion centers. Technical working groups are polishing the service-oriented architecture of the ISE blueprint, a technical road map that will rely largely on existing protocols such as those developed for the Justice Department's Law Enforcement Information Sharing Program. ISE officials said their program's contribution consists largely of developing business processes and policies to align business and process needs via the technical working groups: "That business process gets mapped into data elements using the National Information Exchange Model; the model is a central Extensible Markup Language (XML) metadata registry spawned by Justice's Global Justice XML Data Model project. The resulting ISE network design will specify functions needed for effective information sharing, including not only the cross-domain solutions but also elements such as search, discovery, identity management and collaboration tools.
See also: GJXDM
XML Daily Newslink and Cover Pages are sponsored by:
|BEA Systems, Inc.||http://www.bea.com|
|Sun Microsystems, Inc.||http://sun.com|
XML Daily Newslink: http://xml.coverpages.org/newsletter.html
Newsletter Archive: http://xml.coverpages.org/newsletterArchive.html
Newsletter subscribe: firstname.lastname@example.org
Newsletter unsubscribe: email@example.com
Newsletter help: firstname.lastname@example.org
Cover Pages: http://xml.coverpages.org/