This issue of XML Daily Newslink is sponsored by:
Microsoft Corporation http://www.microsoft.com
- Making the Case for XQuery
- Single Sign-On and Social Networks
- Scalable Vector Graphics (SVG) Tiny 1.2 Specification
- BPMN 2.0 Virtual Roundtable Interview
- Additional Portable Symmetric Key Container (PSKC) Algorithm Profiles
- Motivation for the SAML HoK Assertion Request Profiles
- Programming with the Microsoft Business Rules Framework
- An Introduction to the Yahoo! Query Language Platform
Making the Case for XQuery
Norman Walsh, CIO Magazine
The first step in leveraging a company's information assets is to get them into XML. XML provides the open, uniform platform on top of which can be built sophisticated applications to deliver dynamic content. XML allows the full richness of content (or 'unstructured data', if you prefer) to be maintained while still describing how it's structured. Books have titles, parts, chapters, paragraphs. Purchase orders have dates, addresses, items, and prices. Scientific journals have articles, titles, paragraphs, tables, figures and images. You get to decide what structure best reflects the information in your organization's documents. Graphics, media, and other resources can be stored alongside the XML text... One important observation is that most companies have a wealth of information that is or could be in XML — as much as 70% of total corporate data is unstructured, by some analyst estimates — but all content is not the same. A solution that requires all content to fit into a single structure is either impossible to manage or requires a structure so loose as to carry little useful information. Of course, even if you could fit all of today's information into a single structure, or even a small number of structures, new information would inevitably arrive tomorrow, so flexibility is a key requirement. XML gives you that flexibility. But no matter how much the virtues of XML are extolled, at the end of the day a big pile of XML isn't going to do the job all by itself. After all an organization's content is made accessible, tools are then required that will help take advantage of it. One of the best tools around is XQuery. XQuery is part of a family of standards from the W3C designed to address, query, and transform XML documents... Organizations seeking an open, uniform platform on top of which to build sophisticated, content-centric applications should consider vendor solutions that have XQuery at their core.
See also: the W3C XML Query (XQuery) Working Group
Single Sign-On and Social Networks
Greg Goth, IEEE Distributed Systems Online
Call it what you will — single sign-on, federated identity, one-stop authentication — letting users sign on to the Internet once and securely access network resources anywhere has been one of the industry's enduring quests. While numerous standards efforts have steadily pursued this capability, most have been back-end technologies of which users are mostly unaware. Periodically, however, something brings these efforts to the foreground. Recent developments surrounding the open source OpenID federated-identity technology signal another high-profile period for single sign-on. But they also raise questions about how to achieve interoperability between disparate technologies meant for distinctly different user communities and which of these technologies might be worth investment... Perhaps the most vexing problem is that the announced support of OpenID is a one-way proposition. The most popular email and identity providers — Yahoo as well as Google and Microsoft — currently serve as 'issuing' OpenID providers, but they've hesitated to become 'relying' providers, which accept logins from other OpenID sites. To many observers, this alone is adequate reason to wait until the OpenID community's deeds match its words. After all, what's the point of a single sign-on technology that won't allow single sign-on? In fact, representatives of Google and Microsoft don't even agree as to why they're delaying two-way implementation of the standard... OpenID Foundation chairman Scott Kveton says the delay is indicative of a transitional period between centralized and decentralized architectures and business models... In fact, Kveton says niche sites might see a huge opportunity with smaller Web site operators from users of the big sites that now offer only one-way access via OpenID: "You're going to be able to implement OpenID on your site, and that will accept users from any one of those places. The big guys are still trying to get a feel for what this means, but in the next six to 12 months, I think there's a huge opportunity for the smaller sites to take advantage of all these users who are now being exposed to it." Thus far, the exposure hasn't translated to end-user popularity, however. Leah Culver, founder and lead developer of the San Francisco-based social networking and micro-blogging site Pownce, says, "None of our users are really asking for it. The truth is, when you go to sign up for a social network that uses OpenID, you still have to create all your profile information, and all it does is tie in your OpenID in as an alternative authentication, which is great if you like that. But right now, it's not worth our time and effort to set up a second authentication service."
See also: the OpenID web site
Scalable Vector Graphics (SVG) Tiny 1.2 Specification
Staff, W3C Announcement
W3C has announced the publication of the Scalable Vector Graphics (SVG) Tiny 1.2 Specification as a W3C Recommendation. "Creating beautiful and accessible interactive content was made easier today with the release of the Scalable Vector Graphics (SVG) Tiny 1.2 Recommendation. Already implemented and deployed in mobile phones, media centers, and browsers around the world, this open standard allows authors to build documents and interfaces for the Web, with open-source and commercial authoring tools that output open, reusable content. Searchable, internationalized text and user-created metadata bring the Semantic Web to graphics, and improve the experience of users everywhere, while easier programming interfaces put the power in the hands of developers. A test suite helps to ensure interoperable SVG content in modern Web browsers, making it easier than ever to develop and deploy the right look and feel." From the Abstract: "This specification defines the features and syntax for Scalable Vector Graphics (SVG) Tiny, Version 1.2, a language for describing two-dimensional vector graphics in XML, combined with raster graphics and multimedia. Its goal is to provide the ability to create a whole range of graphical content, from static images to animations to interactive Web applications. SVG 1.2 Tiny is a profile of SVG intended for implementation on a range of devices, from cellphones and PDAs to laptop and desktop computers, and thus includes a subset of the features included in SVG 1.1 Full, along with new features to extend the capabilities of SVG. Further extensions are planned in the form of modules which will be compatible with SVG 1.2 Tiny, and which when combined with this specification, will match and exceed the capabilities of SVG 1.1 Full..." Sophisticated applications of SVG are possible by use of a supplemental scripting language which accesses the SVG Micro Document Object Model (uDOM), which provides complete access to all elements, attributes and properties. A rich set of event handlers can be assigned to any SVG graphical object. Because of its compatibility and leveraging of other Web standards, features like scripting can be done on XHTML and SVG elements simultaneously within the same Web page. SVG is a language for rich graphical content. For accessibility reasons, if there is an original source document containing higher-level structure and semantics, it is recommended that the higher-level information be made available somehow, either by making the original source document available, or making an alternative version available in a format which conveys the higher-level information, or by using SVG's facilities to include the higher-level information within the SVG content. Also available: "SVG 1.2 Tiny Test Suite Implementation Matrix."
See also: the SVG 1.2 Recommendation text
BPMN 2.0 Virtual Roundtable Interview
Mark Little, InfoQueue
In this interview, representatives of the BPMN 2.0 standardization effort discuss the evolution of BPMN and how it relates to other efforts such as XPDL, WS-BPEL and BPEL4People. Manoj Das is Director of BPM Product Management at Oracle, responsible for Oracle's BPM technologies, including BPMN, BPEL, BPEL4People, and Business Rules. Dave Ings is a Program Director in the IBM Software Standards group, currently the chair of the OASIS BPEL4People technical committee and IBM project lead for the BPMN 2.0 development team. Ivana Trickovic is a standards architect in SAP's Standards Management and Strategy group representing SAP in several standards efforts including OASIS WS-BPEL TC and OASIS BPEL4People TC. (1) Overview of BPMN: "BPMN or Business Process Modeling Notation is a graphical modeling standard that enables business analysts and business users to create process models, spanning multiple activities, systems, participants, and transactions, that can be taken into execution by IT, adding necessary implementation details. BPMN provides business audiences flow-chart like experience, a metaphor that they are conversant with. However, unlike flow-charts, it adds sufficient constraints and semantics to make the models valid starting point for implementations. Also, closely associated with BPMN is its swim-lanes feature, which enables intuitive modeling of activities by participants and roles, and a very expressive visualization of the collaboration between various participants." [Manoj Das] (2) Why do we need BPMN? "Just as there are a variety of problem domains, so there are a variety of "domain specific languages" optimized for each domain. UML is a standard modeling language best suited for designing and implementing software. BPMN is a standard optimized for designing business processes. Both have an important and complementary role to play when designing business processes and the SOA services that implement them." [Ings] (3) What is the relationship between BPMN 2.0 and BPEL 2.0? "BPEL defines model and execution semantics for Web service-based processes which present a subset of the BPMN capabilities, e.g. BPMN allows the drawing of arbitrary graphs, and complex data flows. The BPMN 2.0 proposal includes an optional mapping of a BPMN subset to BPEL which is restricted to block-structured flows without cycles. These BPMN processes can also be executed on BPEL-based execution environments... BPEL4People and WS-HumanTask, which are part of the ongoing OASIS BPEL4People standardization activity, support important interoperability requirements between task execution engines, task list clients and process execution engines. Therefore, execution environments supporting BPEL4People and WS-HumanTask can be used to deploy and execute BPMN workflow processes." [Ivana Trickovic]
See also: BPMI specifications
Additional Portable Symmetric Key Container (PSKC) Algorithm Profiles
Philip Hoyer, Mingliang Pei (et al., eds), IETF Internet Draft
The IETF Portable Symmetric Key Container (PSKC) Internet Draft specification contains a number of XML elements and XML attributes carrying keys and related information. PSKC itself specifies a symmetric key format for transport and provisioning of symmetric keys (for example One Time Password (OTP) shared secrets or symmetric cryptographic keys) to different types of crypto modules such as a strong authentication device. The standard key transport format enables enterprises to deploy best-of-breed solutions combining components from different vendors into the same infrastructure. Not all algorithms, however, are able to use all elements and for other algorithm certain information is mandatory. This lead to the introduction of PSKC algorithm profiles that provide further description about the mandatory and optional information elements and their semantic, including extensions that may be needed. The main PSKC specification defines two PSKC algorithm profiles, namely "HOTP" and "PIN". This document extends the initial set and specifies nine further algorithm profiles for PKSC. The document specifies a set of algorithm profiles for PKSC, namely OCRA (OATH Challenge Response Algorithm); TOTP (OATH Time based OTP); SecurID-AES; SecurID-AES-Counter; SecurID-ALGOR; ActivIdentity-3DES; ActivIdentity-AES; ActivIdentity-DES; ActivIdentity-EVENT. The content of the document was created by moving a number of PSKC algorithm profiles from the I-D "Portable Symmetric Key Container" (-06).
Motivation for the SAML HoK Assertion Request Profiles
Tom Scavo, SSTC Discussion List Posting
Tom Scavo of NCSA published a document describing the "Motivation for the SAML HoK Assertion Request Profiles." The documents "SAML V2.0 Holder-of-Key Web Browser SSO Profile" and "SAML V2.0 Holder-of-Key Assertion Request Profiles" are referenced from the SAML TC Wiki. Posting excerpt: The Virtual Organization Membership Service (VOMS) is the most successful attribute-based authorization framework in the Grid. A traditional VOMS credential is an X.509 attribute certificate bound to an X.509 proxy certificate. Recently, however, VOMS has added a SAML interface to its server implementation. Meanwhile, the OGSA Authorization Working Group, under the auspices of the Open Grid Forum, is profiling the authorization decision function of a Grid service provider. There are four documents under consideration within the Authz WG: (1) "Functional Components of Grid Service Provider Authorisation Service Middleware" (published 6 April 08); (2) "Use of WS-TRUST and SAML to access a Credential Validation Service" (published 9 July 08); (3) "Use of XACML Request Context to Obtain an Authorisation Decision" (published 31 Mar 08); (4) "Use of SAML to retrieve Authorization Credentials" (published 7 April 2008). The latter specification (aka the "OGSA attribute exchange") profiles a SAML attribute exchange as implemented by the new VOMS SAML interface. The original OGSA attribute exchange profile is based on the SAML V2.0 Deployment Profiles for X.509 Subjects, which profiles the case where the requester acts on behalf of the subject and also the case where the requester is the subject (self-query). When Nate Klingenstein published the SAML V2.0 Holder-of-Key Web Browser SSO Profile, it became clear that the self-query use case in the Deployment Profiles for X.509 Subjects was unnecessarily restrictive. Indeed, there are many more SAML deployments based on username/password credentials than there are deployments based on X.509-based PKI, so the OGSA attribute exchange profile (which has already undergone public review) needs to be totally rewritten so that it can leverage the existing installed base of SAML IdPs. The SAML V2.0 Holder-of-Key Assertion Request Profiles form the basis of the new OGSA attribute exchange profile. In particular, the SAML V2.0 Holder-of-Key Self-Request Profile describes in general terms how a subject self-issues a SAML request to obtain a holder-of-key assertion. As with the HoK Web Browser SSO Profile, the subject authenticates to the IdP in whatever way is most convenient. For example, the subject can use an existing username/password credential to authenticate to the IdP via HTTP Basic Authentication, WS-Security Username Token Profile, or perhaps even OAuth...
Programming with the Microsoft Business Rules Framework
Rick Garibay, DevX.com
Business Rules are pervasive in software. In fact, in most cases, business rules are the very reason for the existence of most software today. As application architectures become more and more sophisticated, few can disagree with the merits of separating the presentation layer from the business layer or the data layer from the business layer. Yet many applications today are still built with process logic and business rules interwoven within the same business/application layer, which can lead to applications that are brittle, hard to maintain, and resistant to change. In this article, I will explain how to decouple the business rules within your application in a manner that yields high organizational visibility and accountability, and promotes rules as a unit of reuse to help you build applications that are ready for change... The Business Rules Group, a non-commercial organization that helps to define and disambiguate the definition of business rules defines a business rule as "a statement that defines or constrains some aspect of the business. It is intended to assert business structure or to control or influence the behavior of the business." The Business Rules Group further defines business rules as organizational "guidance that there is an obligation concerning conduct, action, practice, or procedure within a particular activity or sphere." [...] The Microsoft Business Rules Framework is a fully functional rule framework originally intended for plugging in various rule executors and translators. The Microsoft Business Rules Engine (BRE) is Microsoft's implementation of their rule language and corresponding translator components, as well as execution components based on the Rete algorithm (defined later). The BRE plugs into the Microsoft Business Rules Framework... Although the Microsoft Business Rules Framework (and MS BRE) ships with Microsoft BizTalk Server 2004, 2006, and 2006 R2, this is where any association to BizTalk Server ends. Microsoft defines the BRE as a stand-alone application consisting of a number of modules, support components, and tools. The primary modules include the Business Rules Composer for constructing policies, the Rules Engine Deployment Wizard for deploying policies created in the Business Rules Composer, and the Run-Time Rule Engine that executes policies on behalf of a host application. You'll see more detail later, using a practical example of how to create a business rule within a policy, and call it from a .NET application... Vocabularies and policies/rule sets need to be persisted to the Rule Store. The Business Rules Composer uses the Rule Store object model for persistence. By default, the Rule Store is a SQL Server database; however, it is possible to use a file or other backing store (with some elbow grease, of course). Using SQL Server as the default repository for policies and vocabularies has some obvious performance and management benefits. Rules and vocabularies are serialized to BRL (Business Rules Language), which as you might imagine is an XML representation of the policy and rules....
See also: references for Business Rules formalisms
An Introduction to the Yahoo! Query Language Platform
Jonathan Trevor, DevX.com
One of Yahoo!'s key goals is to become more open through the Yahoo! Open Strategy (Y!OS). At the heart of Y!OS is an open and extensible platform that allows developers to rapidly access Yahoo! network data and develop applications with access control using an open authentication standard. Yahoo! makes structured data available to developers through its web services, such as Flickr and Yahoo! Local, and through other sources like RSS feeds or CSV documents. There are also numerous external web services and APIs outside of Yahoo! that provide valuable data. For example, Programmableweb.com shows more than a thousand APIs available on topics ranging from project management to the Bible. These disparate services require developers to locate the correct URLs for accessing the APIs and the documentation for querying them. Data remains isolated and separated, requiring developers to combine and work on the data after it's returned to them. Now Yahoo! has released a base platform that opens up Yahoo! user data via web standard APIs and also provides a framework for how developers, publishers, and advertisers can build applications on and off Yahoo!. The Yahoo! Query Language (YQL) platform provides a mediator service that enables developers to query, filter, and combine data across the web. YQL exposes a SQL-like SELECT syntax that is both familiar to developers and expressive enough for getting the right data. Through YQL's SHOW and DESC commands, Yahoo! attempts to make YQL self-documenting, enabling developers to discover the available data sources and structure without opening another web browser or reading a manual... Each table in YQL has an authentication scope required for access. Public tables are accessible through the '/v1/public/yql' endpoint. You access private tables and public tables through the main endpoint, which requires that you sign the call using OAuth. The public URL has stricter rate limiting, so if you plan to use YQL heavily, we recommend you access the OAuth-protected URL. OAuth is an open standard that enables providers of user data to share some or all of that data with an external application with the user's explicit permission. YQL (and Yahoo!) uses this standard to enable users to share their information, like their name or social network details, with third-party developers...
See also: the Yahoo! Query Language web site
XML Daily Newslink and Cover Pages sponsored by:
|Sun Microsystems, Inc.||http://sun.com|
XML Daily Newslink: http://xml.coverpages.org/newsletter.html
Newsletter Archive: http://xml.coverpages.org/newsletterArchive.html
Newsletter subscribe: email@example.com
Newsletter unsubscribe: firstname.lastname@example.org
Newsletter help: email@example.com
Cover Pages: http://xml.coverpages.org/