The Cover PagesThe OASIS Cover Pages: The Online Resource for Markup Language Technologies
SEARCH | ABOUT | INDEX | NEWS | CORE STANDARDS | TECHNOLOGY REPORTS | EVENTS | LIBRARY
SEARCH
Advanced Search
ABOUT
Site Map
CP RSS Channel
Contact Us
Sponsoring CP
About Our Sponsors
NEWS
Cover Stories
Articles & Papers
Press Releases
CORE STANDARDS
XML
SGML
Schemas
XSL/XSLT/XPath
XLink
XML Query
CSS
SVG
TECHNOLOGY REPORTS
XML Applications
General Apps
Government Apps
Academic Apps
EVENTS
LIBRARY
Introductions
FAQs
Bibliography
Technology and Society
Semantics
Tech Topics
Software
Related Standards
Historic
Last modified: December 26, 2003
XML Articles and Papers December 2003

XML General Articles and Papers: Surveys, Overviews, Presentations, Introductions, Announcements

Other collections with references to general and technical publications on XML:

December 2003

  • [December 26, 2003] "Web Services Security Kerberos Binding." By Giovanni Della-Libera (Microsoft), Brendan Dixon (Microsoft), Praerit Garg (Microsoft), Maryann Hondo (IBM), Chris Kaler (Microsoft), Hiroshi Maruyama (IBM), Anthony Nadalin (IBM), and Nataraj Nagaratnam (IBM). December 18, 2003. Copyright (c) 2003 IBM Corporation, Microsoft Corporation. 25 pages. ['This Web Services Security Kerberos Binding Specification is an initial public draft release and is provided for review and evaluation only.'] "This document describes how to use Web Services security specifications with Kerberos... Kerberos is an established authentication and security infrastructure in use in many environments today. Consequently, as applications integrate with and are developed for Web services, there is a need to leverage existing security infrastructure. This specification describes how to integrate Kerberos security environments with the Web service security architecture. Integration with Web services security requires the following aspects: (1) Requesting and issuing security tokens; (2) Attaching security token to messages; (3) Establishing a secure context; (4) Signing and encrypting the message using the security context. This specification describes two models of Web service usage and interoperability: GSS-API and Raw Kerberos... This specification builds on the WS-Security, WS-Trust, and WS-SecureConversation specifications to integrate Kerberos functionality... The security tokens used by both [GSS-API and Raw Kerberos] models are binary and not based on XML. Consequently, the <wsse:BinarySecurityToken> element from WS-Security is used to pass security tokens inside SOAP messages. The wsse:ValueType and wsse:EncodingType attributes describe the security token's type and encoding. Applications integrating Kerberos with WS-Security must include their tokens as instances of <wsse:BinarySecurityToken>. They should encode these in base64... GSS-API presents a common approach and feature set over a number of different and popular security protocols. It is frequently used when two Web services, both existing within Kerberos environments leveraging GSS-API, want to securely interoperate across the Internet... Alternatively instead of using GSS-API, interoperability can be achieved at the Kerberos level. That is, using raw Kerberos security tokens and cryptographic functions. The model is straightforward: tickets are obtained and the keys are extracted for use in signing and encrypting messages. Kerberos is an IETF standard third-party mediated protocol as described in RFC 1510... Conceptually, a Kerberos KDC implements what WS-Trust calls a Security Token Service: It generates security tokens (e.g., Kerberos TGT) in exchange for other tokens..." See also "Web Services Security Specification (WS-Security)." [cache]

  • [December 26, 2003] "Content Feeds with RSS 2.0. Syndication Goes Mainstream." By James Lewin (President, The Lewin Group). From IBM developerWorks, XML. December 23, 2003. ['A lot has happened in the RSS world since developerWorks last looked at RSS: Two new specifications have come out, RSS has become one of the most popular XML standards, and tools and feeds are popping up everywhere. RSS has contributed to the explosion of weblogs, and it is becoming a standard part of other Web sites, too. This article reviews RSS 2.0, looks at new RSS developments, and jump-starts your understanding of this important format.'] "It's been three years since I wrote my last article on RSS for developerWorks, "An introduction to RSS news feeds." At that time, RSS was one of the more popular uses for XML. Since then, Netscape abandoned the format, five new versions of the RSS specification have come out, and there was an acrimonious fork in the format. In spite of these setbacks, RSS is now more popular than ever... Today you can find tens of thousands of RSS feeds. Weblog users, news publishers, government agencies, and many personal and commercial Web sites support the format. Developer tools deal with RSS in Java technology, PERL, PHP, Python, and other major programming languages. Many viewers and aggregators work on the Web, on the desktop, even within e-mail clients... This article will give you a little background, review how the format is being used, and drop the names of some of the more popular tools for working with it. It will review the nuts and bolts of the format, give you examples, and tell you what you need to know to get started. Finally, it will cover some of the new features of RSS 2.0, such as extending RSS using namespaces. At the end of the article you'll find an annotated list of RSS resources... While headline syndication is the most common use for RSS, it is also used for many other purposes. RSS is a very popular format in the weblog community. It's also used for photo diaries, classified ad listings, recipes, reviews, and for tracking the status of software packages. RSS feeds are used in the world of e-commerce as a way of delivering information. For example, Amazon provides custom news feeds based on its Web services platform. This lets you track top books in your news reader, or include information on your Web site about related books for sale at Amazon. RSS has grown tremendously in popularity in the last few years. Syndic8.com maintains an index of RSS channels, and its list of feeds has grown by about 1400% in two years. Yahoo news, the BBC, Slashdot, LockerGnome, Amazon, CNN, Wired, Rolling Stone, and Apple Computer are among the many popular sources of RSS feeds..." See also: (1) "Atom as the New XML-Based Web Publishing and Syndication Format"; (2) "RDF Site Summary" | "Really Simple Syndication" (RSS)."

  • [December 24, 2003] "WS- and Liberty Convergence on Table." By Gavin Clarke. In Computer Business Review Online (December 24, 2003) [News Section]. "Convergence between rival web services specifications for secure identity is on next year's agenda, according to IBM Corp which is planning implementations in its software. IBM told ComputerWire it is in talks with members of the Liberty Alliance Project to establish interoperability and convergence with the WS- family of specifications, authored jointly with Microsoft Corp during 2002 and 2003. Meanwhile, two major elements of the WS-Roadmap, WS-ReliableMessaging and WS-Transaction, will next year begin to appear in IBM's WebSphere middleware brand. IBM's director of dynamic ebusiness technology Karla Norsworthy predicted security, interoperability, transaction and reliable messaging would be the focus of IBM and industry activity in 2004. Many in the industry believe next year will finally see many web services standards such as the WS- specifications increasingly implemented in vendors' products. IBM's web services partner Microsoft, for example, is expected to put Business Execution Language (BPEL) in BizTalk Server 2004. Analyst Gartner Group believes from next year onwards, big-brand stack vendors, like IBM and Microsoft, will see their products mature, as web services standards are increasingly adopted. Customers, meanwhile, are expected to finally roll out web services projects, moving beyond the pilot phase, and begin deployment outside of the corporate firewall. Security, it is believed, will top the list of technology priorities in the web services world. The industry, though, has two major security initiatives in the field of federated, single sign-in with the WS- roadmap and Liberty specifications. A basic level of interoperability exists between the two, as they use SAML assertions, a standard ratified by the Organization for the Advancement of Structured Information Standards (OASIS). Two frameworks, though, potentially cause a headache for enterprise developers implementing security for web services. Many today use ad-hoc XML work-arounds... Norsworthy said Liberty provided a high-level system for identity management and was especially suited to vertical markets, while the WS- specifications provides a broad set of horizontal technologies. She said IBM is 'anxious' to extend the functionally of WS- with Liberty's identity management functions'..." See: (1) "Security Assertion Markup Language (SAML)"; (2) "Liberty Alliance Specifications for Federated Network Identification and Authorization"; (3) WS- specifications list. [hash URL]

  • [December 24, 2003] "Jabber XCP Generates Corporate IM." By Michael Caton. In eWEEK (December 16, 2003). "Jabber Inc.'s Jabber Extensible Communications Platform has a lot under the covers that brings IM beyond user-to-user communications. Unfortunately, Jabber XCP lacks the graphical management tools found in competing products. Jabber XCP 2.7 is available now, priced at $30 per user. In eWEEK Labs' tests, we found a good deal to like in the way Jabber XCP and its included Jabber Messenger work together to deliver instant messaging, but the lack of a management console is a troubling shortcoming of the platform. In terms of base price, Jabber XCP is competitive with Microsoft Corp.'s Live Communications Server 2003. It costs much less than IBM's Lotus Sametime 3.1 but doesn't offer Sametime's Web conferencing features. Jabber Inc. originated out of the Jabber Open Source Project, when Webb Interactive Services Inc. created a software company around the core developers of the original open-source Jabber server. Open-source versions of products that leverage XMPP (Extensible Messaging and Presence Protocol), the XML-based Jabber communications protocol, are available through the Jabber Software Foundation at www.jabber.org. The JSF manages the standardization process for adding extensions to XMPP for backward compatibility. The Jabber XCP product differs from the open-source Jabberd server in that it is a multithreaded and modular application. Jabber offers an interesting wrinkle on IM As a framework application, Jabber XCP offers companies a flexible platform for delivering IM- and presence-aware applications. Overall, we liked the IM experience Jabber XCP provides, including its default options for indicating presence, which are broader than those in competing enterprise IM clients, and its ability to customize the Jabber IM client... Because Jabber XCP relies heavily on XML as the core to communications, seeing how the product works and making modifications can be relatively straightforward. For example, customizing the client's look and feel essentially involves making changes to three XML files..." See: (1) "Jabber XML Protocol"; "Extensible Messaging and Presence Protocol (XMPP)."

  • [December 23, 2003] "Web Services and C++." By Peter Lacey (Systinet). In Dr. Dobb's Journal #355 Volume 28, Issue 12 (December 2003), pages 54-58. [Database Development: Peter shows how to develop SOAP services and clients in C++ using the WASP Server for C++ from Systinet.] "While there's no shortage of information on how to implement web services using Java, C#, or even Perl, there's little information on how to bring web services to the C++ world -- despite the millions of lines of C/C++ code currently in production. In this article, I close this gap by showing how to develop SOAP services and clients in C++ using the WASP Server for C++ from Systinet... Although a license is required for deployment on multiCPU hardware, WASP is available for a variety of operating systems and compilers as a free download from Systinet. All you need is an operating system and C++ compiler for which WASP binaries are available, and a 1.3 or higher JVM... In SOAP, a 'service' loosely corresponds to a C++ 'class,' and an 'operation' to a 'method.' For instance, a sample service called 'Planet' contains a simple operation, getPlanet(). The service's endpoint (that is, URL) is /PlanetService/. The getPlanet() operation takes a single argument -- an integer between 1 and 9 -- and returns the name of the planet that corresponds to that position in order from the Sun. It returns a SOAP fault if the input parameter is out of bounds. There are two principal components to a web service -- the service itself and the Web Services Description Language (WSDL) document that describes it. It is helpful to have the WSDL document in hand when developing services, since you can use the WASP wsdlc utility to autogenerate the client stub code and service skeleton code. However, since WSDL documents can be complicated, it would be nice not to have to create the WSDL manually. To autogenerate WSDL documents, you have to have a source file that contains enough information to represent a service, and in a format that is simpler than WSDL itself. While WASP for C++ does not have a means of generating a WSDL from a C++ source or object file, you can generate a WSDL from a Java class file. The utility for doing so is Java2WSDL, included in the WASP for C++ Companion Toolkit... The ability to SOAP-enable new or existing C++ applications has important implications both inside and outside the enterprise. It lets you extend existing services to internal users and partners without having to generate and distribute a number of difficult and incompatible APIs. The ease with which this can be done, and the shallow learning curve of doing so, makes adopting web services much smoother than learning and implementing a complete C# or Java environment..."

  • [December 23, 2003] "XML 2003 Session Report: Namespace Routing Language." By Uche Ogbuji. From XMLHack.com (December 22, 2003). At the XML 2003 Conference in Philadelphia "James Clark followed a block of sessions on ISO Document Schema Definition Languages (DSDL) with a presentation on Namespace Routing Language (NRL), which is a key contribution to DSDL Part 4: 'Selection of validation candidates'... Clark said that NRL tried to redeem some of the cost of namespaces by using them to divide-and-conquer schema problems, using the best independent schema in the next schema language to address each sub-problem. NRL identifies groups of elements and attributes based on namespaces. The developer specifies a schema for validating each group. The data model for the entire XML document to be processed is a tree of trees. The big tree is divided into 'sections', which must be subtrees. This division uses a simple set of rules considering the relative subtree for each element and its namespace compared to that of its parents. Sections can also be applied against attributes according to whether they have the same namespace as its owner element, allowing for processing of what some call 'global attributes'. The NRL schema language defines a set of rules for sectioning documents and instructions for executing validation on each section. Rules can invoke validation against multiple schemata in multiple languages, and they can be constructed to handle otherwise unspecified namespaces, say for extremely lax or extremely strict processing. NRL supports modes similar to those in XSLT (in fact the overall processing model is much like that in XSLT). Actions can specify modes to be used for processing children of the context element. NRL also supports explicit setting of context, which allows for processing patterns that can't be expressed with modes alone. For example, one could specify a rule for processing any RDF/XML only if it was contained within an XHTML head element. NRL is designed for streaming implementation, though a subschema language might enforce building of a subtree in memory. SAX is the basis of the implementation of NRL in the open-source RELAX NG processor Jing..." See the full text from the preentation. General references in "Document Schema Definition Languages (DSDL)."

  • [December 23, 2003] "XML 2003 Conference Diary." By Eric van der Vlist. From XML.com (December 23, 2003). "Eric van der Vlist, author of O'Reilly's books on RELAX NG and W3C XML Schema, shares his personal view of December's XML 2003 Conference, held in Philadelphia, PA, USA... This year's conference has been dominated by schema languages... The other notable thing I noticed this week is a rise in interest for the Semantic Web at large and an increasing number of presentations showing concrete issues solved by its technologies... There was no formal DSDL tracks at XML 2003, but the next four sessions were nevertheless dedicated to DSDL parts. The first of these was James Clark's 'Incremental XML Parsing and Validation in a Text Editor', a wonderful presentation of how RELAX NG (aka DSDL part 2) can be used to guide XML editing. Although this was describing Clark's 'nXML' mode for Emacs, the principles given there were generic and could apply to other XML editing tools. What I liked the most in this talk is the different perspective on XML parsing and validation. Traditionally, we differentiate parsing from validation and include the check for well-formedness in the parsing. This separation does not work well during the editing of XML documents. Rick Jelliffe had already shown that in an amazing session called ' When Well-Formed is too much and Validity is too little' at XML Europe 2002. James Clark, who had already shown his interest in the concept by adding 'feasible validation' to his RELAX NG processor 'jing', is now following a similar path in nXML. An XML editor needs to be able to rapidly process the structure of the markup to provide syntax highlighting, and document-wide well-formedness is too much for that. Clark's nXML thus includes a parser which is limited to token recognition and does not check that tags are balanced, and a validator that checks well-formedness and validity against RELAX NG schemas when they are available... [one] area which was gave good food for thought in this presentation is that James Clark insisted that during the whole process of parsing and validation, no tree is ever built in memory. This is a new proof that the requirement undertaken by RELAX NG to allow stream processing is met, and another different perspective on XML documents. We tend to see them as trees, while they can also be seen and processed as streams of events. This dual nature of XML is something we should not forget in our applications... Murata Makoto presented 'Combining Multiple Vocabularies Without Tears', a high level introduction to DSDL part 4 and its 'divide and validate' paradigm, complemented by James Clark's 'Namespace Routing Language (NRL)' proposal. These two complementary talks described a new way to validate compound documents: rather than combining individual schemas, which often requires adapting them and requires that they use the same schema language, NRL (which is the main input to DSDL part 4) proposes a language that splits composite documents according to their namespaces, and specifies which schemas must be used for each of these parts. Many examples were given during these two talks, including the validation of SOAP messages with their envelope and payload, and XHTML documents embedding various namespaces going from SVG to RDF through XForms..." General references in "XML Schemas."

  • [December 23, 2003] "Editing and Authoring: A Structural Adviser for the XML Document Authoring." By Boris Chidlovskii (Xerox Research Centre Europe, France). Pages 203-211 in Proceedings of the 2003 ACM Symposium on Document Engineering. With 14 references. "Since the XML format became a de facto standard for structured documents, the IT research and industry have developed a number of XML editors to help users produce structured documents in XML format. However, the manual generation of structured documents in XML format remains a tedious and time-consuming process because of the excessive verbosity and length of XML code. In this paper, we design a structural adviser for the XML document authoring. The adviser intervenes at any step of the authoring process to suggest one tag or entire tree-like pattern the user is most likely to use next. Adviser suggestions are based on finding analogies between the currently edited fragment and sample data being either previously generated documents in the collection or the history of the current document authoring. The adviser is beneficial in cases when no schema is provided for XML documents, or schema associated with the document is too general and sample data contain specific patterns not captured in the schema. We design the adviser architecture and develop a method for efficient indexing and retrieval of optimal suggestions at any step of the document authoring... Interactive editors for the document preparation have evolved from Rita and Grif edition systems, that used predefined documentgrammars to provide the context information and to guide the authoring process, to the recent editors and validation systems for XML documents, likeMicrosoft XML Notepad, XML-Spy, Corel XMetaL, IBM Xeena, and others. The editors provide an interactive interface for the manual creation, editing and browsing of XML data. The interfaces are often coupled with DTD/XML Schema grammars and content views in order to validate data against DTDs or XML Schema schema definitions and to facilitate the creation of XML documents. Finding patterns in tree-like data is a core problem in various domains, like bioinformatics, Web mining, semi-structured data, etc. In the Web mining, the main interest is in the efficient enumeration of frequent trees in a data forest, where a frequent tree is a tree occurring at least minsup times. Enumerating all frequent patterns combines methods of efficient data mining and the tree pattern matching. Mohammed J. Zaki has recently presented TreeMiner, a novel timeand space-efficient algorithm for discovering all frequent subtrees in a forest In the semi-structured data, methods of the extraction... Our study concerns primarily the data mining aspect of the structural advising for XML documents. The method we proposed here shows that mining available data can considerably increase the 'intelligence' of an XML editor when assisting the authoring process. However, a number of important issues relevant to structural advising in an XML authoring system remained beyond the score of this paper. These issues like the graphical user interface or integration the data mining paradigm in the authoring environment put the user in the center of consideration. Recently, we have built a prototype that integrates the structured adviser in Adobe FrameMaker 6.0 in the form of plug-in. The next step will be developing different scenarios of providing structural suggestions to the user and running a set of evaluations through the case study and behavioral analysis... To our best knowledge, this is the first attempt to propose a method for mining available data and to rank tree patterns of different size accordingly to the efficiency metrics, expressed by the similarity and gain functions. The principle of an adviser and contextual suggestions is close to those implemented in various document editors, like MS Word, Emacs, Amaya, for spell-checking tasks; the knowledge of the language and associated dictionaries are hard-coded in the editor. The difference is that suggestions in these editors cope with the content of document; while the suggestions patterns in our structural adviser try to capture the structure of a document; moreover the patterns can be identified off-line or from scratch in the on-line mode..." See also: ACM Symposium on Document Engineering 2003 (November 20 - 22, 2003).

  • [December 23, 2003] "XML and Information Integration: Conceptual Modeling of XML Schemas." By Bernadette Farias Lóscio, Ana Carolina Salgado, and Luciano do Rêgo Galvão (Centro de Informática, Universidade Federal de Pernambuco, Brasil). In Proceedings of the Fifth International Workshop on Web Information and Data Management (WIDM 2003) (November 7-8, 2003). "XML has become the standard format for representing structured and semi-structured data on the Web. To describe the structure and content of XML data, several XML schema languages have been proposed. Although being very useful for validating XML documents, an XML schema is not suitable for tasks requiring knowledge about the semantics of the represented data. For such tasks it is better to use a conceptual schema. This paper presents an extension of the Entity Relationship (ER) model, called X-Entity, for conceptual modeling of XML schemas. We also present the process of converting a schema, defined in the XML Schema language, to an X-Entity schema. The conversion process is based on a set of rules that consider element declarations and type definitions and generates the corresponding conceptual elements. Such representation provides a cleaner description for XML schemas by focusing only on semantically relevant concepts. The X-Entity model has been used in the context of a Web data integration system with the goal of providing a concise and semantic description for local schemas defined in XML Schema... The X-Entity representation provides a cleaner description for XML schemas hiding implementation details and focusing on semantically relevant concepts. The X-Entity model extends the ER model so that one can explicitly represent important features of XML schemas, including: element and subelement relationships, occurrence constraints of elements and attributes and choice groups. Due to space limitations, some X-Entity features were not presented in this paper. Other issues were not considered in our approach, including: hierarchy of elements and attributes, cardinality of group of elements, elements with mixed content and order of elements imposed by a sequence compositor. However, our model can be easily extended with additional features and new rules can be developed for the conversion process. We already implemented a prototype to generate XEntity schemas from XML Schemas..." General references in "XML Schemas."

  • [December 23, 2003] "Security Analysis of the SAML Single Sign-on Browser/Artifact Profile." By Thomas Gross (IBM Zurich Research Laboratory). Paper presented Thursday, December 11, 2003 at the 19th Annual Computer Security Applications Conference (December 8-12, 2003, Las Vegas, Nevada, USA). With 21 references. "Many influential industrial players are currently pursuing the development of new protocols for federated identity management. The Security Assertion Markup Language (SAML) is an important standardized example of this new protocol class and will be widely used in business-to-business scenarios to reduce user-management costs. SAML utilizes a constraint-based specification that is a popular design technique of this protocol class. It does not include a general security analysis, but provides an attack-by-attack list of countermeasures as security consideration. We present a security analysis of the SAML Single Sign-on Browser/Artifact profile, which is the first one for such a protocol standard. Our analysis of the protocol design reveals several flaws in the specification that can lead to vulnerable implementations. To demonstrate their impact, we exploit some of these flaws to mount attacks on the protocol... We have deduced several recommendations for the design of browser-based protocols from our analysis. First of all, we strongly recommend that secure channels such as SSL 3.0 or TLS 1.0 with unilateral authentication for message transfer always be used. They outmatch normal transfer of signed and encrypted messages, as they provide authentication, freshness, and replay prevention. We also recommend including more explicitness measures into the messages. It is important to name protocol type, protocol step, source and destination of a message explicitly in the message. Such measures could for instance prevent attacks where multiple services of a site are involved.We recommend not only considering successful protocol runs, but also analyzing all states the protocol can reach. Especially error states may hide opportunities for attacks such as our referrer attack. We are convinced that the SAML Single Sign-on Browser/Artifact profile is in general a well-written protocol. In fact, it is one of the most carefully designed browser-based protocols in federated identity management. Nevertheless, several changes are required to improve its security and prepare for its broad application in industry..." General references in "Security Assertion Markup Language (SAML)." [cache]

  • [December 23, 2003] "An Editor for Adaptive XML-Based Policy Management of IPsec." By Raj Mohan (Indian Army, India) with Timothy E. Levin and Cynthia E. Irvine (Naval Postgraduate School, USA). Paper presented at the 19th Annual Computer Security Applications Conference (December 8-12, 2003, Las Vegas, Nevada, USA). With 19 references. "TCP/IP provided the communications foundation for the Internet and the IPsec protocol now promises to enable the desired security strength. IPsec provides users with a mechanism to enforce a range of security services for both confidentiality and integrity, enabling them to securely pass information across networks. Dynamic parameterization of IPsec further enables security mechanisms to adjust the level of security service 'on-the-fly' to respond to changing network and operational conditions. The IPsec implementation in OpenBSD works in conjunction with the Trust Management System, KeyNote, to achieve this. However the KeyNote engine requires that an IPsec policy be defined in the KeyNote specification syntax. Defining such a dynamic security policy in the KeyNote Policy Specification language is, however, complicated and could lead to incorrect specification of the desired policy, thus degrading the security of the network. We present an alternative XML representation of this language and a graphical user interface to create and manage a consistent and correct security policy. The interface has the simplicity of a simple menu-driven editor that not only provides KeyNote with a policy in the specified syntax but also integrates techniques for correctness verification and validation... Security policy management is a critical issue in the management of computer and networking resources. IPsec and KeyNote provide a mechanism to implement a granular security policy. Previous research in the area of 'Quality of Security Service' demonstrates how an adaptive security policy can provide enhanced security with optimal utilization of network resources. A missing link in this process was the difficulty in specifying a well-defined, granular, error free and consistent security policy in the language understood by the KeyNote trust management engine. We have presented a solution to this problem in the form of an easy to use yet powerful security policy editor. The work demonstrates that use of XML technology as a middle layer provides us with a means to combine the security of KeyNote with the simplicity of a policy editor. This novel approach also provides us all the benefits of XML, such as XSL and XML security. While XSL was extensively used, XML security tools could also be used in follow up future work..." [cache]

  • [December 23, 2003] "An Analysis of XML Database Solutions for the Management of MPEG-7 Media Descriptions." By Utz Westermann and Wolfgang Klas (University of Vienna). In ACM Computing Surveys (CSUR) Volume 35, Issue 4 (December 16, 2003), pages 331 - 373. [ISSN: 0360-0300] "MPEG-7 constitutes a promising standard for the description of multimedia content. It can be expected that a lot of applications based on MPEG-7 media descriptions will be set up in the near future. Therefore, means for the adequate management of large amounts of MPEG-7-compliant media descriptions are certainly desirable. Essentially, MPEG-7 media descriptions are XML documents following media description schemes defined with a variant of XML Schema. Thus, it is reasonable to investigate current database solutions for XML documents regarding their suitability for the management of these descriptions. In this paper, we motivate and present critical requirements for the management of MPEG-7 media descriptions and the resulting consequences for XML database solutions. Along these requirements, we discuss current state-of-the-art database solutions for XML documents. The analysis and comparison unveil the limitations of current database solutions with respect to the management of MPEG-7 media descriptions and point the way to the need for a new generation of XML database solutions... For the management of MPEG-7 media descriptions (and certainly for the management of other data-centric XML documents as well, e.g., in the domain of electronic interchange of business data), we therefore see the need for a new generation of XML database solutions which recognize the central importance of exploiting the type information contained in schema definitions for the adequate management of XML documents. At the same time, these solutions should not neglect other important issues such as sophisticated (multidimensional) value, text, and path index structures, profound extensibility with custom functionality and index structures, and -- not to forget these -- classic DBMS functionality such as transactions, fine-grained concurrency and access control, and reliable means for backup and recovery. It seems that the necessity of using schema definitions to achieve an adequate management of XML documents is to becoming more and more recognized. As a newer XML database solution, Oracle XML DB/Structured Mapping already to some extent makes use of schema defi- nitions written in XML Schema for document validation and for the typing of basic document contents, as well as for query optimization. At least for the management of MPEG-7 media descriptions, however, the system has to be developed further to overcome its limitations with regard to the more complicated constructs of MPEG-7 DDL/XML Schema in order to be considered more than just a harbinger of a new generation of schema-aware XML database solutions." See also: (1) "A Typed Representation and Type Inference for MPEG-7 Media Descriptions"; (2) "An Analysis of XML Database Solutions Concerning the Management of MPEG-7 Media Descriptions" (Technical Report, No. TR-2002302, Dept. of Computer Science and Business Informatics, University of Vienna, September, 2002). General references in "Moving Picture Experts Group: MPEG-7 Standard."

  • [December 23, 2003] "Butting Heads Over B2B. ebXML Battles Web services Over Which Will Become the E-Business Platform of Choice." By Paul Desmond. In Network World (December 22, 2003). "Companies looking to conduct complex business transactions might expect Web services to enable those efforts. But along the way, they might find some business partners adamant about using another technology for the same purpose, electronic business with XML. Under development since the late 1990s, ebXML is a multifunction e-business framework that includes a secure document-messaging component and a methodology for constructing those documents. Web services, of course, fits a similar description, although the degree to which they help businesses conduct more than the simplest of online transactions is one subject of the Web services vs. ebXML debate. Another topic is whether a debate is needed at all. A number of experts say the two technologies are complementary, because ebXML can, and does, employ Web services underpinnings such as Simple Object Access Protocol (SOAP)... 'People think of ebXML as a holistic framework rather than having multiple aspects that can be adopted independently,' says Joseph Chiusano, senior consultant with Booz Allen Hamilton in McLean, Va., and a member of the OASIS ebXML technical committee. While Web services didn't really exist when ebXML was conceived, OASIS and UN/CEFACT, an international standards body that also plays a role in ebXML development, have since made multiple efforts to incorporate Web services components in ebXML. Those include an interface that enables ebXML messages to be carried via SOAP, and the ability to register and discover Web Services Description Language (WSDL) documents... [John] Radko says he sits in on numerous meetings in which the ebXML vs. Web services debate rages on. Members of the auto industry, for example, are debating whether to use ebXML document formats or those that are more closely aligned with Web services, such as WS-Attachments. This Microsoft-developed specification is at least the third attempt at defining how to send files back and forth in a Web services environment. He says such a specification must have four basic attributes: to, from, message type and a message ID, for tracking. 'EbXML does all that great; it was designed from the ground up to do that,' Radko says. Work is underway in standards bodies including the Internet Engineering Task Force and World Wide Web Consortium to define the same attributes for Web services. So why not simply use ebXML document formats and send them over a Web services-based transport? For one, ebXML uses a component-based approach toward building documents that Radko says is technically sophisticated but difficult to work with... Users must choose a platform for conducting business online -- Web services or the older but more established electronic business with XML (ebXML). Sun is the only large vendor with a certified interoperable ebXML offering, although at least nine smaller e-commerce providers and software vendors offer ebXML certified products. IBM, Microsoft and Oracle favor Web services. Resolution is questionable. The ebXML camp likely will try adding more Web services underpinnings, while Web services standards groups will strive for agreement on document format structure...' See also the following reference..." See also the following reference, and general references in "Electronic Business XML Initiative (ebXML)."

  • [December 23, 2003] "Comparing WSDL-based and ebXML based Approaches for B2B Protocol Specification." By Martin Bernauer, Gerti Kappel, and Gerhard Kramler (Business Informatics Group Business Informatics Group, Institute of Software Technology and Interactive Systems, Vienna Universiy of Technology. Presented at the First International Conference on Service Oriented Computing (ICSOC 2003), Trento, Italy, 15-18 December 2003. "When automating business processes spanning organizational boundaries, it is required to explicitly specify the interfaces of the cooperating software systems in order to achieve the desired properties of interoperability and loose coupling. So-called B2B protocols provide for the formal specification of relevant aspects of an interface, ranging from document types to transactions. Currently, there are two main approaches proposed for the specification of B2B protocols, the WSDL-based approach supporting Web Service languages, and the ebXML-based approach supporting languages defined along the ebXML project. Unfortunately, these approaches are not compatible, thus an organization wanting to engage in B2B collaboration needs to decide whether to embark on any of these new approaches, and which ones to use. This paper introduces a conceptual framework for B2B protocols, and based on this framework, a methodical comparison of the two approaches is provided, answering the questions of what the differences are and whether there are chances to achieve interoperability..." See also the abstract and the preceding bibliographic reference. Related: (1) comments on the OASIS ebXML Business Process Technical Committee (ebXML BP TC) discussion list; (2) general references in "Electronic Business XML Initiative (ebXML)." [cache]

  • [December 20, 2003] "Beyond Instant Messaging: Platforms and Standards for These Services Must Anticipate and Accommodate Future Developments." By John C. Tang and James "Bo" Begole (Sun Labs). In ACM Queue Volume 1, Number 8 (November 2003), pages 28-37. ACM Queue Special Issue on Instant Messaging. "The recent rise in popularity of IM (instant messaging) has driven the development of platforms and the emergence of standards to support IM. Especially as the use of IM has migrated from online socializing at home to business settings, there is a need to provide robust platforms with the interfaces that business customers use to integrate with other work applications. Yet, in the rush to develop a mature IM infrastructure, it is also important to recognize that IM features and uses are still evolving... In this discussion, we want to demonstrate how research prototypes that explore future directions can be used to guide and inform current efforts to develop an infrastructure. Our experience in using and studying IM has identified future opportunities in what we will refer to as 'awareness services.' That is, beyond the instant text-chat capability and sense of presence among online colleagues that IM provides, what other cues of activity should collaborators share to help coordinate their work? When a person you want to contact is not present, what information can the system provide to help you coordinate contact in the future? Even when you are physically present, can the system provide cues for when you are mentally receptive, or 'available,' to being interrupted? As examples of potential solutions to these issues, we summarize three research prototypes that demonstrate future directions in awareness services: (1) Awarenex - an IM and awareness prototype that demonstrates additional realtime awareness information useful both for initiating contact and negotiating conversation. (2) Rhythm Awareness - a system that analyzes awareness information over time to predict future times to contact people who are not currently available. (3) Lilsys - a system that integrates awareness information from a number of different sensors to infer when colleagues may not be available for interaction... The research prototypes described here, along with other research in this area, suggest an emergence of promising awareness features that would further help distributed work groups communicate and coordinate their collaboration. Technical platforms and standards need to support the ongoing development of awareness features and be capable of including new awareness information and services as they emerge. The technical infrastructure also needs to address privacy concerns so that users can easily understand and trust their control over who has access to this information. By developing platforms and standards today that anticipate and accommodate future developments in awareness services, we can build communication tools that will gracefully support the emergence of new awareness services as they become available..."

  • [December 20, 2003] "Nine IM Accounts and Counting." By Joe Hildebrand (Jabber). In ACM Queue Volume 1, Number 8 (November 2003), pages 44-50. ACM Queue Special Issue on Instant Messaging. ['The key word with instant messaging today is interoperability. Various standards are in contention.'] "Instant messaging (IM) has become nearly as ubiquitous as e-mail, in some cases -- on your teenager's computer, for example -- far surpassing e-mail in popularity. But it has gone far beyond teenagers' insular world to business, where it is becoming a useful communication tool. The problem, unlike e-mail, is that no common standard exists for IM, so users feel compelled to maintain multiple accounts -- for example, AOL, Jabber, Yahoo, and MSN. This decision makes no sense from the end-user perspective, but unfortunately it is an artifact of how IM has developed. Even without a common IM standard, interoperability is not much of a technical challenge, however. The open source community has demonstrated that since 1999. To interoperate or not to interoperate is actually a business decision. It comes down to giving corporate customers what they want. In some cases that means interoperability and in some cases it means creating a walled or gated community... Multiple standards are still vying for prominence today. The main contenders are XMPP and SIMPLE, both of which are still under discussion within the IETF. XMPP is an IETF adaptation of the open Jabber protocol for IM and presence. SIMPLE -- SIP for Instant Messaging and Presence Leveraging Extensions -- is based on the IETF signaling protocol known as the Session Initiation Protocol, or SIP. SIMPLE is a set of extensions built on top of SIP that will provide for an IM and presence system. Microsoft has thrown its considerable weight behind SIMPLE... Two features make IM unique: rapid-fire asynchronous messaging, and realtime presence information. We've only just begun exploring what it means to mix these and add them to a wide range of applications and devices. For example, one extension to presence is geographical location information. Once your car is a node on the network, its presence information could be provided (subject to permissions you control) to other nodes on the network, such as your garage door. Why push a button to open your garage door when it can open automatically whenever your car comes within 20 feet? Sure, that seems like a frivolous use of the technology, but don't think it won't happen just because it's frivolous. Adding presence information (from basic on/off status to extended presence about more sophisticated states) to applications and devices will open up a wealth of uses that we've only just begun to think about. The same is true of asynchronous messaging. While some industry pundits have bought into Microsoft's contention that the IM game is over and that the direction of IM technology will be based on SIMPLE, millions are actually building innovative applications and deploying large messaging and presence services using XMPP. Why? Because they can deploy today, knowing that XMPP is natively interoperable, extensible, and being chosen by some of the world's largest companies..." See also: (1) "Extensible Messaging and Presence Protocol (XMPP)"; (2) SIP for Instant Messaging and Presence Leveraging Extensions."

  • [December 20, 2003] "On Helicopters and Submarines." By Marshall T. Rose (Invisible Worlds). In ACM Queue Volume 1, Number 8 (November 2003), pages 10-13. ACM Queue Special Issue on Instant Messaging. ['You're not going to get any savings through integrating IM with your SIP infrastructure. SIP does a great job as a helicopter, but when you try to make it function as an IM submarine as well, disaster may follow.'] "Helicopters are great, and so are submarines. The problem is that if you try to build one vehicle to perform two fundamentally different jobs, you're going to get a vehicle that does neither job well. What does any of this have to do with instant messaging (IM)? Well, the Session Initiation Protocol (SIP) is an excellent helicopter, but it is also being proposed for use as an instant messaging submarine. The proposal is known by a clever acronym, SIMPLE (SIP for instant messaging and presence leveraging extensions), but the SIP/IM approach doesn't have any of the good features normally associated with simplicity... SIP is a rendezvous protocol used to establish media streams (e.g., voice over IP, conferencing, and so on). The key thing to understand about rendezvous protocols is that they play an important but very limited role in data communications. They negotiate all the parameters necessary for data exchange to occur; but their role is also limited, because once this negotiation completes, the rendezvous protocol goes away and the actual exchange of data occurs. Like all good protocols, SIP's design parameters reflect its operating environment. What this means is that SIP's design isn't optimal for use in other scenarios. For example, because the rendezvous protocol is used for brief exchanges, and comprises such a small part of an overall mix of data traffic (in comparison to the actual data exchange), SIP doesn't need to have a congestion-sensitive transmission algorithm. After all, SIP is trying to do only one or two handshakes, so using something like slow-start is actually counterproductive. The difficulty here is the same thing that afflicts most protocols that achieve cult-like popularity: SIP is being considered for use in all kinds of different applications. In fact, the magnitude of requests for SIP extensions has reached the point where there's actually an evolving review process for SIP modifications... Rendezvous protocols are great, and so are data-exchange protocols. The problem is that if you try to build one protocol to perform two fundamentally different jobs, you're going to get a protocol that does neither job well. In other words, SIP and IM are sufficiently different that trying to do them both in the same protocol is problematic..."

  • [December 20, 2003] "Broadcast Messaging: Messaging to the Masses." By Frank Jania (IBM). In ACM Queue Volume 1, Number 8 (November 2003), pages 38-43. ACM Queue Special Issue on Instant Messaging. ['This powerful form of communication has social implications as well as technical challenges.'] "We have instantaneous access to petabytes of stored data through Web searches. With respect to messaging, we have an unprecedented number of communication tools that provide both synchronous and asynchronous access to people. E-mail, message boards, newsgroups, IRC (Internet relay chat), and IM (instant messaging) are just a few examples. These tools are all particularly significant because they have become essential productivity entitlements. They have caused a fundamental shift in the way we communicate. Many readers can attest to feeling disconnected when a mail server goes down or when access to IM is unavailable. For some of us, network outages are now as inconvenient as a blackout. These tools are also significant because they represent technologies that provide a means for enhanced interaction. On one end, in the case of e-mail, the technology provides increased delivery speed over that of standard post. At the other extreme, in the case of IM, the ability to advertise awareness information and have a realtime text conversation comprises a new form of communication. Broadcast messaging is a technology that falls somewhere in between, and has several use-cases that highlight its efficacy and indicate that it also will someday enjoy the ubiquity of IM. There are, however, social implications to providing broadcast messaging to a large audience, as well as challenges in building broadcast messaging tools for such an audience... ICT is a suite of applications that incorporates broadcast messaging and IM. The most prolific use-case of ICT is the IBM internal deployment, with an average of 18,000 users per month. There are five applications for broadcast messaging: w3alert, TeamRing, SkillTap, FreeJam, and PollCast. Users broadcast many types of requests to one of many communities, but the most active is the "everyone" community. This is the community that everyone listens to by default. The novel feature of communicating to "everyone" is circumventing the need to categorize your request while getting it out to a large audience of potential responders. The ability to broadcast to everyone can be very powerful, but it also has social implications and technological challenges. I'll first discuss the specifics of ICT's broadcast applications and then their social implications and technological challenges..."

  • [December 20, 2003] "IM: A Conversation with Peter Ford." By Eric Allman and Peter Ford. In ACM Queue Volume 1, Number 8 (November 2003), pages 18-27. ACM Queue Special Issue on Instant Messaging. "Instant messaging (IM) may represent our brave new world of communications, just as e-mail did a few short years ago. Many IM players are vying to establish the dominant standard in this new world, as well as introducing new applications to take advantage of all IM has to offer. Among them, hardly surprising, is Microsoft, which is moving toward the Session Initiation Protocol (SIP) as its protocol choice for IM. Providing us with the Microsoft perspective on IM is Peter S. Ford, chief architect for MSN Messenger. At Microsoft he has worked on Messenger, TCP/IP, IP security (IPsec), RSVP and QoS, voice over IP (VoIP), and Mobile Data. Previously he worked at MCI on Internet access and virtual private networks (VPNs), on the evolution of the National Science Foundation network to network access points (NAPs) and very-high-speed Backbone Network Service (vBNS), and at Los Alamos National Laboratory on high-performance computer networking and nonlinear systems. In an earlier life he was a systems hacker at the University of Utah and the University of Michigan. In the Internet Engineering Task Force (IETF) he cochaired the team proposing the use of connectionless network service (CLNS) as the candidate for IPv6. Ford has a bachelor of general studies degree from the University of Michigan. Sparring with Ford in a discussion of IM is e-mail pioneer Eric Allman, chief technology officer and founder of Sendmail..." [PF:] "I see tremendous amounts of evolution in what you and I would call user-agents. The current IM clients and the current e-mail clients are just going to evolve like crazy in the next five years. We probably won't recognize them five years from now. The explosion of people trying to communicate with you, using instant messaging and e-mail, is going to grow tremendously. Having systems that can manage that in a human-friendly collaborative manner is going to be critically important as we move ahead. I'm very optimistic about that. At some level, it sounds like, 'Oh my god, we're all going to drown in an e-mail sea,' and I think that filtering technologies have come around very quickly in the last two years. I've been very impressed by how quickly people have addressed spam, and that's because it's so important. I think e-mail was the killer app of the Internet, and messaging still is the killer app. E-mail plus instant messaging are part of that whole messaging milieu. They probably will be for a long time. I'm one of the people who still believe that e-mail is as important if not more important than the Web in the Internet. The Web-heads of course would say, 'No, no, the Web is the most important thing,' but I'm a big believer that person-to-person messaging, whether it be e-mail or IM, is probably still the driver. Clearly, both are important. I give the nod to messaging because people can be closer to the people they care about, and it makes it easier for them to work with the people they need to work with..."

  • [December 20, 2003] "XML for the Rest of Us. Once Eclipsed by Machine-To-Machine Communications, the Human Factor of XML is Starting to Emerge." By Jon Udell. In InfoWorld (December 19, 2003). "Last week in Philadelphia, I had the honor of delivering the opening keynote address at XML 2003. On the morning of the talk, I watched the cubicles light up in the bank across the street from my hotel. XML is a disruptive technology that is almost certainly replumbing the IT infrastructure of that bank. But to those bankers booting up their PCs and sipping coffee in early morning CRT glow, XML is still probably just plumbing -- if that... At a previous XML conference in 2001, the agenda had been all about plumbing... XML 2003 was a much happier experience. Seven weeks after shipping InfoPath, Microsoft's Jean Paoli was onstage showing how officers of the North Carolina Highway Patrol are using XML documents to report incidents. And Adobe, which had earlier this year revealed the existence of latent XML capabilities in the free Acrobat 6 reader, demonstrated the beta version of a form designer that can turn a piece of digital paper into an XML-aware form. 'The relational database is designed to serve up rows and columns,' said BEA's Adam Bosworth in his keynote talk. 'But our model of the world is documents. It's, 'Tell me everything I want to know about this person or this clinical trial.' And those things are not flat, they're complex. Now we have the way to get not only the hospital records and prescriptions but also the doctor's write-ups.' The doctors and bankers will get that, just as the highway patrolmen already do. XML documents, flowing through XML plumbing, can now deliver very real and tangible benefits. For the publishing geeks who started it all, it's a moment to savor..."

  • [December 20, 2003] "To Boldly Go." By Martin Sexton (London Market Systems). In Financial IT [IncisiveMedia] (October 2003). "Since 2000, a number of industry and proprietary XML standards have emerged, raising concerns that there were too many XML vocabularies being developed. This has led to a general misconception that the market is full of competing XML standards, causing many participants to adopt a wait-and-see approach.' At the end of 2000 ISO 15022 Second Edition was initiated, its goal being to encourage convergence of industry-wide standards to create a single financial repository. The initial challenge was to merge SWIFT (post-trade and settlement) and FIX (pre-trade and trade) into a single XML standards framework. Discussions are now under way on the integration of MDDL (market data pricing and reference data, including corporate actions), FpML (derivatives trading), and TWIST (FX, money markets and commercial payments). The original delivery date for the ISO 15022 XML standard was December 2003, though to ensure the standards are properly integrated, tested and agreed this date has moved to mid-2004. Given the scope and plans of each standard is publicly available, one should not be concerned about committing to industry standards. Fears of being an early adopter should be balanced against meeting the needs of your organisation. Taking part in defining the standards will ultimately ensure the needs of your organisation are met. Financial standards landscape The working group behind ISO 15022 Second Edition produced an initial roadmap that is summarised in the diagram on the next page. It shows the Trade lifecycle and the scope of the existing 'non-XML' standards that are planned to be reverse engineered to produce the XML variants. Since its inception, ISO 15022 Second Edition has been expanded to include the other XML standards, FpML, MDDL, and TWIST. The principle driving force behind the creation of these standards has been the impending T+1 regulations. The SIA and GarnterG2 conducted a survey (July 2003) on the industry's efforts toward STP, and one of the report's recommendations was that industry leaders should, 'work with the Securities Industry Association and industry bodies to establish a consensus on STP standards'. Deploying global XML standards offers the opportunity for improvement in trade automation, resulting in tangibles benefits such as reduced staffing levels and shortened trade life cycles, as well as savings in hard currency... In April 2003, at the Defining the Reference Data Standard conference in New York, Keith Berry announced the success story of XML integration projects at Barclay Global Investors. By deploying XML, over 60 market data flat file interfaces were replaced with nine XML interfaces and a further 320 application interfaces were replaced by 75 XML equivalent. Other initiatives include the London Stock Exchange Sedol Master File and the FT Interactive Data pricing files projects; both have opted for MDDL as the delivery format. Potential users should not be concerned about possible standards turf wars or whether or not to use standards in a prescriptive manner. If real business benefits can be identified, one needs to ask 'why are we not using XML standards to solve part or all of our data management needs?' Given the benefits of using XML within the enterprise, there seems little point in duplicating the months of effort these standards represent without taking a good look at what they can offer -- why reinvent the wheel?" See also: (1) the London Market Systems XML Standards Guide for Market Data; (2) "FISD XML Messaging Specification for Real Time Streaming XML-Encoded Market Data."

  • [December 20, 2003] "XML: We Ain't Seen Nothin' Yet." By A. Russell Jones (DevX, Executive Editor). In DevX.com XML Zone (December 16, 2003). ['From interprocess communications to file systems to operating systems, XML is a magic elixir that provides new possibilities and solves a host of ailments. XML is becoming instrumental in areas that you may never have even considered before.'] "XML is a fundamentally simple idea -- take bits of content and give them identifying tags -- but it has far-reaching effects. In just a few short years, XML's evolution has sparked an explosion of innovation that's touched nearly every facet of computing, even the most basic computing building blocks, such as file systems, databases, displays, and communications. And it's not done yet. It won't be long before XML permeates nearly every system, application, and data store within reach. Think I'm exaggerating? Look at what XML has already accomplished... XML is set to fuel both file system (WinFS) and display (XAML, XUL) functionality in Windows. Similar capabilities for other OS's are likely not far behind. If you can capture the application management, data storage, and UI behavior in XML, you've essentially created a layer that can be moved between operating systems much more easily... XML-formatted configuration files increasingly hold directives, settings, preferences, and meta-data for individual applications, which means XML is already being used to perform one portion of application management. Applications also need data, and XML has made significant inroads into data storage, data transfer, and data query capabilities as well. Although relational databases remain the primary repository for enterprise and large-scale application data, modern applications that work with the data are retrieving it as XML. Microsoft's DataSets in .NET are one small example. For more indications, one need look no further than the fact that all major databases can now deliver XML-formatted data, accept XML data for update and insert operations, and are rapidly gaining the ability to store and query (see XQuery) data in native XML format. The essential point is this: Just as XML Web services provide a language-and-platform-independent layer between applications, XML configuration and management, data storage and display provide an equally language-and-platform-independent layer between operating systems. You'll see the fruits of this added layer of indirection in years to come..."

  • [December 20, 2003] "Q&A: Web Services Security." By Jack Vaughan [and Toufic Boubez]. In Appliccation Development Trends (December 01, 2003). "Toufic Boubez has a stellar record in Web services. At IBM, he co-authored UDDI. Later, he founded Layer 7 Technologies which recently released SecureSpan to promote Web services security and integration policy creation..." Boubez [excerpt]: "'Web services' denotes a set of technologies that is supposed to allow you to attain the ideal of just-in-time integration through loosely coupled systems. But the current model in its current use breaks down when it comes to anything other than the simplest, most straight-forward 'getQuote' type of toy examples. There are many areas of tight coupling in the SOAP message alone... In typical Web services scenarios, security mechanisms such as authentication, authorization, credential presentation, encryption, or digital signature requirements are hard coded into the Web service. The equivalent mechanisms must then be hard coded into the client applications that invoke this Web service. This results in a system where the requesting client application is tightly coupled to the implementation of the service, and breaks down if any of these terms need to be changed. But, to get back to the question, there definitely is a mechanism to make Web services security loosely coupled. This is where the crucial concept of policy enters the picture. In order to provide flexibility to an otherwise brittle system, policy documents have to be created to decouple 'invariants' from 'environment variables'. In this context, what I consider to be an invariant is the actual functionality of the service, tested and deployed, and not to be touched again until the business requirements change... A system cannot be 'half' loosely coupled - it either is or isn't. What's needed to complete the solution is a new concept that we're proposing, the policy application point, at the client side. This is where the requester is also decoupled from the security policy requirements, in the same way that the policy enforcement point decoupled the web service itself. The policy application and enforcement points can exchange policy documents and coordinate at runtime to make the whole security mechanism truly loosely coupled. This in essence is one of the most important features of the SecureSpan Solution..."

  • [December 20, 2003] "xmltramp and pxdom." By Uche Ogbuji. From XML.com (December 17, 2003). ['In his Python column, Uche Ogbuji covers "xmltramp", a tool for parsing XML documents into a data structure that's very friendly to Python, and "pxdom", a highlight-compliant, DOM Level 3 implementation.'] "In this article I cover two XML processing libraries with very disjoint goals. xmltramp, developed by Aaron Swartz, is a tool for parsing XML documents into a data structure very friendly to Python. Recently many of the tools I've been covering with this primary goal of Python-friendliness have been data binding tools. xmltramp doesn't meet the definition of a data binding tool I've been using; that is, it isn't a system that represents elements and attributes from the XML document as custom objects that use the vocabulary from the XML document for naming and reference. xmltramp is more like ElementTree, which I covered earlier, defining a set of lightweight objects that make information in XML document accessible through familiar Python idioms. The stated goal of xmltramp is simplicity rather than exhaustive coverage of XML features... pxdom, on the other hand, has the goal of strict DOM Level 3 compliance. It is developed by Andrew Clover, who contributed to the XML-SIG the document 'DOM Standards compliance', a very thorough matrix of feature and defect comparisons between Python DOM implementatons. DOM has generally not been the favorite API of Python users -- or, for that matter, of Java users -- but it certainly has an important place because of its cross-language support..." General references in "XML and Python."

  • [December 18, 2003] "Lack of Windows 98 Support Could Have Wide Impact: Study." By Jack Kapica. In The Globe and Mail (December 11, 2003). "Many companies are going to find themselves more vulnerable to viruses and security attacks on Jan. 16, a Canadian research company says. On that day, Microsoft Corp ceases to offer technical support and security updates for its five-year-old operating system Windows 98. And those operating systems are still very popular among cost-conscious companies. Inventory data collected by Ottawa-based AssetMetrix Research Labs of 370,000 computers -- from 670 companies ranging in size from 10 to 49,000 PCs -- found that more than 80 per cent of the companies were still using Windows 98 or Windows 95. But in mid-January, all those computers will be considered obsolete, and security patches will cease to be made for Windows 98 or its revised successor, Windows 98 SE... AssetMetrix Research Labs, the research division of AssetMetrix, an asset intelligence service, produced the report in support of Win98-Exodus, the company's new tool to help corporations upgrade to Windows 2000 and Windows XP... More than 27 per cent of PCs were running Windows 95 or Windows 98, AssetMetrix reported, compared to only 7 per cent for Windows XP..." See also the following bibliographic entry.

  • [December 18, 2003] "An Open Letter From Jonathan Schwartz." By Jonathan Schwartz (Executive Vice President, Sun Microsystems). From Sun News, Video, and Resources. December 17, 2003. "Microsoft's recent unilateral decision to discontinue support for Windows 98 and other products as of December 23, 2003 offers users a lesson, and an opportunity. It's a lesson in how a company with legendary market dominance can lose sight of customer priorities, and force an unnecessary transition onto a customer base already paralyzed with viruses and security breaches... Publicly, Microsoft says Sun forced its hand. Yet, they overlooked that this issue was part of a settlement it agreed to and Sun extended until September of next year. So apparently without consulting customers, partners or ISV's, Microsoft has unilaterally elected to pull their products from the market, then blamed it on Sun. We'd like you to know that this isn't accurate. The agreement between Sun and Microsoft gives customers a graceful transition path to a future platform, that extends far beyond December 23. Moreover, Sun has offered, and will continue to offer, a license to Java technology that would spare Microsoft any transition whatsoever so long as Microsoft maintains compatibility, and a commitment to the preservation of the very same standards igniting the world of web services... While Microsoft scapegoats Sun, the world is discovering the wonders of Sun's Java Desktop System -- which delivers all the functionality of a Windows environment, at a tenth the price, and with ten times the security. The Chinese government discovered it. The United Kingdom's National Health Service and Office of Government Commerce discovered it. Just like hospitals, universities, retailers - and soon, some of the worlds largest enterprises -- have discovered. Sun's Java Desktop System delivers an engaging, very low cost alternative to the proprietary Microsoft platform -- which you can deploy without retraining, or fear of incompatibility..." See also the preceding reference.

  • [December 18, 2003] "OpenOffice Makes Government Inroads." By Matthew Broersma. In CNET News.com (December 18, 2003). "Government bodies in Israel and Texas are starting to shift from Microsoft Office to open-source alternatives, driven by budget pressures. Two significant government bodies, the Israel Department of Commerce and the City of Austin, Texas, are moving toward replacing Microsoft Office installations with the OpenOffice.org productivity suite. This continues a worldwide trend of governments attempting to cut costs with open-source software. The Department of Commerce has made a strategic decision to reduce government dependency on Microsoft, and is to replace most of its Microsoft Office desktops with OpenOffice, according to a report this week in the Israeli business daily Globes. The software is to run on Windows using IBM hardware, the paper said. Also this week, the City of Austin said it would migrate several hundred Microsoft Office installations to OpenOffice beginning in January, as part of an ongoing testing program. OpenOffice is an open-source office suite based on Sun Microsystems' StarOffice. Open-source software is not controlled by any one company, making it attractive for organizations wary of paying steep licensing fees to a single supplier. Many public-sector bodies are also eyeing, or actively migrating to, the open-source Linux operating system for desktop use. Linux is widely used on servers, but has yet to make a serious dent in Microsoft's dominance of the desktop. Austin made the decision to shift 300 desktops in the Communications Technology Management department to OpenOffice after testing the software on 30 desktops for several months, according to Austin's acting chief information officer, Pete Collins. He said that testing would continue, with the possibility of more of the city's 5,200 desktops shifting to OpenOffice..." See also: (1) the news story "Danish Board of Technology Report Recommends Open Source Software for E-Government"; (2) "OpenOffice.org XML File Format."

  • [December 17, 2003] "New Storage Management Specification Key to Managing Multi-Vendor SANs." By Shankar Subramanian. In CNETAsia (December 09 2003). "Storage management will take a major step forward this year when the Storage Networking Industry Association (SNIA) completes work on the first version of the Storage Management Interface Specification, or SMI-S, a specification for a standardized interface for storage management applications. Managing multi-vendor Storage Area Networks (SANs) is a key concern for end-users and integrators alike. It typically requires the use of a several applications from multiple vendors. The applications are typically uncoordinated and unable to work together to deliver the functionality, distribution, security, and reliability to ensure the delivery of increased business efficiency. SMI-S specifies a protocol stack consisting of CIM-XML (object descriptions and management actions) over HTTP (session), over TCP (transport), over IP (interconnect). The ubiquity of the lower layers of this stack make it possible to manage components using in-band communications, out-of-band communications, or a mix of the two... SMI-S incorporates mechanisms for standards-based management of legacy devices with proprietary interfaces. Devices and subsystems can be integrated into an SMI-S network using software agents (one per device) or CIM object managers (CIMOMs -- one or multiple devices). Agents and object managers bridge to proprietary device management models and protocols and those of the SMIS. As higher-level abstractions than models developed specifically for individual components, SMI-S Object Models are applicable across entire classes of devices. Common abstractions make it feasible for software developers to implement policy -based management for entire storage networks... SMI-S [provides] a common interoperable and extensible management transport. SMI-S is the unifying factor between objects that must be managed in a storage network and the tools used to manage them. SMI-S is based on the Web Based Enterprise Management (WBEM) architecture and the Common Information Model (CIM) as pioneered by the Distributed Management Task Force (DMTF). The use of the CIM-XML over HTTP standard, an object independent management protocol, allows vendors to dynamically extend the features and functions of their products without redesign of the management transport. SMI-S will shift the industry development model relieving vendors of the tedious task of integrating incompatible and 'feature thin' management interfaces, allowing them to focus on building management engines that reduce the cost and extend functionality. Device vendors will be spared the expense of 'pushing' management interface functionality across an industry of management applications developers and empowered to build new features and functions into subsystems..." General references in "SNIA Storage Management Initiative Specification (SMI-S)."

  • [December 17, 2003] "DoS Flaw in SOAP DTD Parameter." By Ryan Naraine. From InternetNews.com (December 15, 2003). "Technology heavyweights IBM and Microsoft have released fixes for a potentially serious vulnerability in various Web Services products that could be exploited to trigger denial-of-service attacks. In separate alerts, the companies said the vulnerability was caused by an error in the XML parser when parsing the DTD (Document Type Definition) part of XML documents. Independent security researcher Secunia has tagged the flaw with a 'moderately critical' rating. Affected software include the IBM WebSphere 5.0.0 and Microsoft ASP.NET Web Services (.NET framework 1.0, .NET framework 1.1). According to IBM, the security patch fixes a flaw that could be exploited by sending a specially crafted SOAP request. 'This can cause the WebSphere XML Parser to consume an excessive amount of CPU resources,' Big Blue warned. An advisory from Microsoft confirmed the DTD error parsing vulnerability in its Web Services products, included with the .NET Framework 1.1..."

  • [December 17, 2003] "OASIS Members Demo Interoperability." By Dave Kearns. In Network World (December 17, 2003). ['The author references the Liberty Alliance's recent conformance testing results and looks at a more all-encompassing group of interoperability tests. These tests were done under the auspices of Organization for the Advancement of Structured Information Standards, the foremost proponent of XML as the lingua franca of business data exchanges, including those in the identity management arena.'] "At last week's XML 2003 conference in Philadelphia, OASIS and its members collaborated on separate interoperability demonstrations of five different OASIS Standards and specifications: Electronic Business XML (ebXML), Security Assertions Markup Language (SAML), Universal Business Language (UBL), Web Services Reliability (WS-Reliability), and Extensible Access Control Markup Language (XACML). All five specs involve identity management to a greater or lesser extent. SAML, of course, is the underlying mechanism used by the various federated identity schemes, one of which -- WS-Federation -- also encompasses WS-Reliability. XACML is a language that describes a namespace for the expression of authorization policies in XML. UBL and ebXML are more generalized business-to-business languages (ebXML is actually a family of protocols) which could be seen to be an outgrowth of and an extension to the older Electronic Data Interchange (EDI) formats x11 and EDIFACT. Identity, authentication and authorization have parts to play in all of these... There were actually four demos presented, and one covered multiple protocols: (1) Interoperability Using Test Frameworks - ebXML in a Supply-Chain environment; (2) WS-Reliability - A demonstration of guaranteed message delivery involving Fujitsu, Hitachi, NEC, Oracle and Sun; (3) Epidemic Management Using OASIS ebXML, UBL and XACML - A real-world test of disseminating information about a health problem; (4) Web Services for Remote Portlets - Reuse of 'mini-portals' and gadgets (so-called 'portlets') for multiple sites... The WS-Reliability demo should be of interest as it is part of the infrastructure necessary for WS-Federation. The presentation demonstrated the ability of the companies involved to deliver a message, guarantee no duplicate messages and order messages as part of a transaction while all sorts of nasty things (outages, re-routings, etc.) were occurring on the network. The Epidemic Management demo is also of interest since authentication and authorization are extremely important to medical information, which must be gathered, analyzed and disseminated quickly, yet authoritatively, while still protecting patients' privacy..." See the announcement: "OASIS Interoperability Demos Showcase ebXML, SAML, UBL, WS-Reliability, and XACML at XML 2003. Adobe, BEA, Citrix, Cyclone Commerce, Drake Certivo, Fujitsu, Hitachi, IBM, Korean National Computerization Agency (NCA), NEC, US National Institute of Standards and Technology (NIST), Oracle, Sun Microsystems, Vignette, and Others Demonstrate Interoperability of Standards."

  • [December 17, 2003] "Incremental XML Parsing and Validation in a Text Editor." By Uche Ogbuji. From XMLhack.com (December 15, 2003). "At XML 2003 in Philadelphia, James Clark presented the ideas and implementation behind his nXML XML editing mode for GNU Emacs. He pointed out that text editors could be classified as text editors and structure editors. Many well-known XML editors are actually the latter, in which the docuemnt is always well-formed (and maybe even schema-valid) by virtue of restrictions on user interaction. In developing nXML, Clark wanted people to truly be able to do all the things a plain text editor, and in particular Emacs, allows. This means that the document will proceed through varying levels of well-formedness and validity as the user works. The goal is to provide the user with as many cues as possible to the user as to well-formedness and validity, without interfering with the basic text editing. This is much like the argument that Rick Jelliffe has been making for a while, and which has informed the development of Rick's commercial venture, the Topologi XML editor. Clark has now provided for effective text-driven editing of XML in an open source tool..." See the download site and the following reference.

  • [December 17, 2003] "Incremental XML Parsing and Validation in a Text Editor." By James Clark. Presentation given at XML 2003. "XML editors can be divided into text editors and structure editors. In a structure editor, the user interacts with the document as an abstract tree of elements. In a text editor, the user interacts with a document as a sequence of characters or lines of text. In a normal text editor, a user is not constrained in how they can modify the content of the document: any text can be inserted at any point and any range of text can be deleted. Preserving this characteristic in an XML editor, while providing useful support for XML editing and acceptable performance, presents some challenges. A normal XML parser or validator starts at the beginning of the document, and processes the entire document until it reaches the end or possibly until it encounters an error. This kind of implementation is not useful for an XML editor. Completely reprocessing the document on every edit cannot scale to large documents. To solve this problem, XML processing must work incrementally: as the document is processed, additional information is recorded, so that when the document is subsequently modified, the necessary reprocessing is minimized. Three kinds of XML processing will be addressed: XML 1.0 parsing, XML Namespaces processing and RELAX NG validation. This session will describe two algorithms that allow all these three kinds of processing to be performed incrementally. These algorithms have been implemented for GNU Emacs completely in Emacs Lisp. This is a particularly challenging environment, since the implementation of Emacs Lisp in GNU Emacs is much slower than the typical implementation of a language such as C++, Java or C# in which a text editor would usually be written. Moreover, GNU Emacs lacks any support for multithreading. Note that this work is also relevant W3C XML Schemas, since, for the purposes of validation, W3C XML Schemas (minus integrity constraints) can be translated into RELAX NG schemas..." See also RELAX NG.

  • [December 17, 2003] "Atom Authentication." By Mark Pilgrim. From XML.com (December 17, 2003). "Atom, in case you missed it, is a new standard that uses XML over HTTP to publish and syndicate web-based content. It is initially targeted at weblogs, and most of the early adopters so far have been weblog vendors and users. It consists of the Atom API, which I discussed last month, and the Atom syndication format, which I will discuss next month. This month I want to talk about authentication... life would be much simpler if Atom could just use existing HTTP authentication, as-is. But it can't; I'm going to tell you why and then I'm going to tell you what we're doing instead... all previous weblog publishing APIs send passwords over the wire in clear text. Clearly none of these APIs will work: (1) Use HTTP basic authentication - this does not technically send passwords over the wire in clear text, but it encodes them in a way that is easily reversible. So this doesn't actually help Bob since it's not an improvement over clear text. (2) MD5-hash the password and only send the hash - this would solve the password sniffing problem, since you couldn't reverse engineer the hash to recover the original password, but it doesn't help because it's susceptible to replay attacks. (3) Use HTTP basic authentication over SSL - this would solve the password sniffing problem, but it doesn't help because we can't use SSL... (4) Use HTTP digest authentication - this would also solve the password sniffing problem, and it would solve the replay problem, but most web hosting providers don't turn on digest authentication... A little-known fact about RFC 2617 is that HTTP authentication is extensible. The RFC defines and Apache has modules for Basic and Digest authentication, but developers are free to define different algorithms for use within the HTTP authentication framework, and servers are free to insist that clients support those algorithms if they want access to the server's resources... After much haggling, the algorithm we chose [for Atom] was WSSE Username Token. WSSE is a family of open security specifications for web services, specifically SOAP web services. However, the Username Token algorithm is not SOAP-specific; it can be easily adapted to work within the HTTP authentication framework, and it solves all of the problems..." Note: the Atom authentication solution was still being discussed as of 2003-12-18. Other references in the news story: "Atom as the New XML-Based Web Publishing and Syndication Format."

  • [December 17, 2003] "Roll Your Own Secret Santa Web Application, Part 1: The Beans. A Step-By-Step Guide to the Tools, Technology, Design, and Implementation" By Merlin Hughes. From IBM DeveloperWorks. December 17, 2003. "Merlin Hughes presents the design and implementation of a J2EE-based secret Santa Web application, along with a discussion of the tools and technologies that can be used to ease the development of such applications. The 3-part series provides a broad overview of how to build a J2EE application from the ground up, using some modern tools and frameworks, with details of how these different technologies work together to produce the end result. While not intended as detailed treatises on any individual technology, these articles instead serve as guides to developing a Web application with J2EE. This first article focuses on the beans, their design and implementation, and the use of XDoclet to accelerate their development and deployment. It examines the tools and technologies used to implement the application, and walks through the model implementation, including the entity beans that encapsulate its state, relations, and some business logic. When developing J2EE applications, you can build them from scratch or work with the many tools that are currently available to maximize your productivity. The latter approach will not only speed your development time, but the resulting solution will often be more robust and scalable, as it will benefit from the significant experience that has driven the development of the support tools, and you'll have more time to design and test the result. Aside from the underlying J2EE technologies, our implementation of the secret Santa application model has benefited tremendously from the use of XDoclet; little over a thousand lines of commented code result in an application four times the size. The majority of this code will therefore be autogenerated code that has seen deployment, use, and validation, and thus should have few or no errors. XDoclet has many strengths, not least of which is how it supports customization for different application designs, as seen in the custom value object pattern employed here..." See also Part 2 and Part 3.

  • [December 16, 2003] "Introducing WS-CAF: More Than Just Transactions." By Mark Little and Jim Webber (Arjuna Technologies). In Web Services Journal Volume 03, Issue 12 (December 2003). "Web services have become the integration platform of choice for enterprise applications. Those applications by the very nature of their enterprise-scale components can be complex in structure, which is compounded by the need to share common data or context across business processes supported by those applications. Those processes may be very long lived, and may contain periods of inactivity, for example, where constituent services require user interactions. In response to these issues, WSCAF (Web Services Composite Application Framework) was publicly released in July 2003 after almost two years of effort, and has broad industry support from companies such as Iona, Oracle, Sun, and a host of others, and is now under the care of an OASIS standardization effort through the WS-CAF Technical Committee. The WS-CAF specifications are a suite of protocols designed to provide the necessary framework for composing Web services into larger aggregate business processes. Given that WS-CAF is the first framework of its kind to make its way into standardization, it's important to understand the principles underpinning it. This article provides a high-level view of WS-CAF starting from the bottom up, explaining the layered architecture of the trio of specifications that comprise WS-CAF, and demonstrating how each of the specifications can be used in its own right or as a whole to provide a rich framework for building reliable composite applications... From a distance, WS-CAF may be misinterpreted simply as the industry's third attempt at designing a transaction management solution for Web services. However, while one aspect of WS-CAF does address the kind of extended transaction models that are crucial for Web services reliability, there is actually much more to WS-CAF than just transactions. WS-CAF also provides generic context-management and service-coordination frameworks that can form the basis of composite applications, processes, and workflows. These features are exposed to Web services-based applications and can be tailored to build protocols that are specific to particular applications domains..." Note: the article also features a section "Comparison Between OASIS BTP and WS-Coordination/Transaction." See also: (1) "OASIS Forms Web Services Composite Application Framework Technical Committee"; (2) WS-CAF Technical Committee web site.

  • [December 16, 2003] "Sun Sets Up European RFID Test Center." By Andy McCue. In CNET News.com (December 05, 2003). "Sun Microsystems will open a facility in Europe where companies can test their radio frequency identification systems. The announcement, made at Sun's first European user conference Friday, signals the company's intention to stake a claim in what is likely to be a lucrative market. In a demonstration Friday, Sun's Chief Executive Scott McNealy checked out a shopping basket of RFID-tagged goods. The center is due to open in February next year and is an addition to Sun's U.S. facility. Sun maintains that RFID tags have the potential to cut huge costs from the supply chain of retailers and manufacturers. In the United States, Wal-Mart Stores is set to spend $3 billion on RFID technology, and the retailer has drawn up specifications that its top 100 merchandise suppliers should adhere to by January 1, 2005. The new European testing center will allow companies to comply with the Wal-Mart mandate... Sun's move is unlikely to be popular with privacy groups who, earlier this month, called for the suspension of RFID implementation amid fears that the tags will be used for more nefarious people-tracking purposes once they have left stores with tagged goods. Sun's chief researcher, John Gage, told Silicon.com that the center will work to make sure the launch complies with privacy laws, but he admitted that more work needs to be done to reassure consumers that the data will not be later used for other purposes..." See also: (1) "Sun to Open a Wal-Mart Compliant RFID Test Center. New Director of Auto-ID Business Unit Claims New Facility Will Speed Supplier Compliance to Wal-Mart Standards."; (2) "RFID Resources and Readings"; (3) "Physical Markup Language (PML) for Radio Frequency Identification (RFID)."

  • [December 16, 2003] "New Storage Management Specification Key to Managing Multi-Vendor SANs." By Shankar Subramanian. In CNET Asia (December 09, 2003). "Storage management will take a major step forward this year when the Storage Networking Industry Association (SNIA) completes work on the first version of the Storage Management Interface Specification (SMI-S), a specification for a standardized interface for storage management applications. Managing multi-vendor Storage Area Networks (SANs) is a key concern for end-users and integrators alike. SMI-S incorporates mechanisms for standards-based management of legacy devices with proprietary interfaces. Devices and subsystems can be integrated into an SMI-S network using software agents (one per device) or CIM object. SMI-S provides a common interoperable and extensible management transport. SMI-S is the unifying factor between objects that must be managed in a storage network and the tools used to manage them. It is based on the Web Based Enterprise Management (WBEM) architecture and the Common Information Model (CIM) as pioneered by DMTF. The use of the CIM-XML over HTTP standard, an object independent management protocol, allows vendors to dynamically extend the features and functions of their products without redesign of the management transport... SMI-S will shift the industry development model relieving vendors of the tedious task of integrating incompatible and 'feature thin' management interfaces, allowing them to focus on building management engines that reduce the cost and extend functionality. Device vendors will be spared the expense of 'pushing' management interface functionality across an industry of management applications developers and empowered to build new features and functions into subsystems..." General references in "SNIA Storage Management Initiative Specification (SMI-S)."

  • [December 16, 2003] "Reusable Asset Specification Advances at OMG." By David Rubinstein. In Software Development Times (December 15, 2003). "The architecture board of Object Management Group Inc. last month gave its approval to the Reusable Asset Specification, basing it on the XML Metadata Interchange to facilitate the growth of what the group is calling asset-based development. The vote moves the specification, which has been in development for three years, closer to realization. There is now a 90-day comment period open, and if nothing emerges to undermine the effort, OMG's board of directors will vote to finalize the specification. OMG expects the Reusable Asset Specification (RAS) to become adopted by the board of directors in July 2004. The move to XMI from the original proposal, which relied upon the XML Schema, gives the RAS the ability to model and map relationships in a less obtrusive manner, according to Grant Larsen, a model-driven development strategist for IBM's Rational division and a contributor to the specification. Rational engineers developed the core ideas behind the specification in 1999; the effort was joined by IBM, Microsoft and ComponentSource in an RAS vendor consortium in 2000. The group submitted the specification to OMG for consideration around May. 'The spec today has two parts,' Larsen said. 'The incumbent tells how to store and capture metadata, which is realized and defined in XML Schema. Flashline, LogicLibrary and Rational have built tools around it. The newcomer is XMI, and I'm not aware of any tooling created around that as of yet'... Larsen defined asset-based development as creating, managing and consuming assets. Asset creation involves identifying, harvesting, refining and packaging a software artifact from the name, rules and extension points..." See also the following bibliographic entry and "XML Metadata Interchange (XMI)."

  • [December 16, 2003] "Draft RFC Submitted to OMG: Reusable Asset Specification (RAS)." An OMG Draft. Version 2.1. August 2003. Copyright (c) 2003 IBM, Flashline, LogicLibrary, ComponentSource, and Adaptive. 84 pages. Contributions by Brent Carlson (LogicLibrary); Charles Stack (Flashline); Craeg Strong (Ariel Partners); Ed Bacon (Vanguard); Grant Larsen (IBM); Jim Conallen (IBM); Jim Green (Microsoft); Jimmy Kerekes (Telstra); John Cheesman (Irene 7); John Steele (Charles Schwab); Lance Delano (Microsoft); Lior Amar (OSTnet); Martin LeClerc (IBM); Kumar Vagaparty (Merrill Lynch); Pete Rivett (Adaptive); Sam Patterson (ComponentSource); Sridhar Iyengar (IBM); Wayne Wulfert (Caterpillar); Wojtek Kozaczynski (Microsoft). "The Reusable Asset Specification (RAS) defines a standard way to package reusable software assets. A reusable software asset is, broadly speaking, any cohesive collection of artifacts that solve a specific problem or set of problems encountered in the software development life cycle. A reusable software asset is created with the intent of reuse... There are three key dimensions that describe reusable assets: granularity, variability, and articulation... Every reusable asset must contain at a minimum one manifest file, which are described below, and at least one artifact to be considered a valid reusable asset. The manifest file is an XML document that validates against one of the known RAS XML Schemas, and passes an additional set of semantic constraints described in the profile document. An asset package is the collection of artifact files plus a manifest. It can be a location on a filesystem or a single archive file. The manifest document is an XML document; the authoritative description of the RAS manifest document structure is provided as an XML Schema. XML Schemas express shared vocabularies and allow machines to carry out rules made by people. They provide a means for defining the structure, content and semantics of XML documents... The OMG Analysis & Design Task Force (ADTF) creates model and meta model standards for software development. RAS describes assets as part of asset-based development (ABD) which is an element of software development. The RAS includes UML models and XML schemas in support of ABD. ABD compliments model-driven development (MDD) by describing asset production, asset consumption, and asset management. These assets may be models that may be transformed to support the MDA standard. RAS leverages existing OMG technologies / standards, as it is described using UML. RAS is also described using XML schema. We are in the process of defining a MOF 2.0 model of RAS so that the XML schemas produced will be compliant to MOF 2.0 and XMI 2.0. The final RFC will confirm to MOF 2, UML 2, XMI 2, and W3C XML. The current XML schemas will continue to be normative because there are many implementations that conform to that specification. There are several tool vendors that have implemented the currently released RAS XML schema in their tools including, IBM, Flashline, and LogicLibrary..." [adapted from the v2.1 draft]

  • [December 16, 2003] "BEA Thinks Simple With Weblogic Revamp." By Martin LaMonica. In CNET News.com (December 16, 2003). "BEA Systems is hoping to simplify the management of Java software with an upcoming release of its WebLogic product, underscoring a broader industry push to lower the cost of managing applications. The company's WebLogic 9.0 application server software is being designed so that businesses can see how well their Java business applications are performing, and quickly spot and fix problems, said Benjamin Renaud, deputy chief technology officer at BEA. WebLogic 9.0 will also add better Extensible Markup Language (XML) messaging capabilities for sharing information, and will support the most recent XML-based Web services specifications ratified by standards organizations, Renaud said. BEA's WebLogic application server is based on the Java 2 Enterprise Edition (J2EE) standard, used to build and implement custom business applications. In August of this year, company CEO Alfred Chuang said WebLogic 9.0 would be completed in 12 to 18 months, or the latter half of 2004. BEA is the No. 2 maker of application server software, behind IBM. The company's focus on simplifying application management reflects growing demand among customers for business applications that are cheaper to maintain, analysts said. Businesses typically allocate well over half of their information technology budgets to maintaining existing applications... IBM is building in closer ties between its WebSphere Java server and its Tivoli systems management line. And Microsoft has launched its Dynamic Systems Initiative, which will make it easier for Windows applications to feed operational information to its management console. These built-in management features are designed to give companies a better sense of whether systems are meeting performance goals and to help spot glitches. With the industry coalescing around a few management standards, such as Web services management, application server companies can now more easily share application performance information with customers' existing management tools, analysts said..."

  • [December 16, 2003] "Optimizing Web Services Using Java, Part I: Generic Java and Web Services." By Jordan Anastasiade. In Web Services Journal Volume 03, Issue 12 (December 2003). "What lies behind Web services? Some say the answer depends on the power of the language used in the implementation, in addition to known standards like XML, SOAP, and WSDL. Developing Web services is hard since incorrect use of the language can cause subtle and pernicious errors. What patterns and idioms should we use for simplifying the development process? In this first of two articles, I describe some of the proposed changes to Java and show how they work together to make Java technology a more expressive language for Web services development. In a later article I'll use the Java Web Services Developer Pack (JWSDP 1.3), JAX-RPC 1.1 with its improved schema binding, and the architecture for Basic Profile 1.0, to demonstrate how to design Web services that perform well, how to identify idioms and patterns, and how to optimize Web services performance. ... This first article describes how generics will improve the design of Web services in Java. So what are generic types? Generics is basically a way to abstract over types. Practically, you can parameterize classes, interfaces, arrays, and methods... We examine the issues involved in supporting variant generic types in Java. A key aim in introducing genericity and variance to the Java programming language is the desire to write general, flexible, and complex Web services where decoupling and reuse are very important goals, while retaining and improving static type safety. Furthermore, variance annotations in class- and interface-type parameters increase the flexibility of subtyping relationships, allowing a better abstraction and maintainability and optimizing Web services as later articles will demonstrate. Generics increases the readability, maintainability, and safety of our Web services and will be introduced in the next release of the Java programming language (J2SE 1.5 Tiger code name). That release will also include JSR-201 with enumerations, autoboxing for loop enhancements, import of static members, and metadata - features that are easy to use as neither syntax nor semantic restrictions have been imposed on the original language. My next article will demonstrate how to us the JWSDP 1.2, JAX-RPC 1.1 with generics and some of the new features that will make our Web services safer and easier to develop..."

  • [December 16, 2003] "Screen XML Documents Efficiently With StAX." By Berthold Daum (BDaum Industrial Communications). From IBM developerWorks. December 11, 2003. ['Retrieve the information you want, then stop the parsing process.'] "The screening or classification of XML documents is a common problem, especially in XML middleware. Routing XML documents to specific processors may require analysis of both the document type and the document content. The problem here is obtaining the required information from the document with the least possible overhead. Traditional parsers such as DOM or SAX are not well suited to this task. DOM, for example, parses the whole document and constructs a complete document tree in memory before it returns control to the client. Even DOM parsers that employ deferred node expansion, and thus are able to parse a document partially, have high resource demands because the document tree must be at least partially constructed in memory. This is simply not acceptable for screening purposes. This article shows you how to retrieve specific information from XML documents and how to stop the parsing process once this information is collected... StAX offers a pull parser that gives client applications full control over the parsing process. A client application may decide at any time to discontinue the parsing process, and no tricks are required to stop the parser. This is ideal for screening purposes..." "BEA Offers Preview Release of JSR 173 Streaming API for Java (StAX)."

  • [December 16, 2003] "Longhorn for Developers: Controls and XAML." By Brent Rector. In Microsoft MSDN Library (December 16, 2003). From Introducing "Longhorn" for Developers. "Longhorn platform applications typically consist of an Application object and a set of user interface pages that you write in a declarative markup language called XAML. The Application object is a singleton and persists throughout the lifetime of the application. It allows your application logic to handle top-level events and share code and state among pages. The Application object also determines whether the application is a single window application or a navigation application. You typically write each user interface page using a dialect of XML named Extensible Application Markup Language (XAML). Each page consists of XAML elements, text nodes, and other components organized in a hierarchical tree. The hierarchical relationship of these components determines how the page renders and behaves. You can also consider a XAML page to be a description of an object model. When the runtime creates the page, it instantiates each of the elements and nodes described in the XAML document and creates an equivalent object model in memory. You can manipulate this object model programmatically -- for example, you can add and remove elements and nodes to cause the page to render and behave differently. Fundamentally, a XAML page describes the classes that the runtime should create, the property values and event handlers for the instances of the classes, and an object model hierarchy -- that is, which instance is the parent of another instance. All XAML documents are well-formed XML documents that use a defined set of element names. Therefore, all rules regarding the formation of well-formed XML documents apply equally to XAML documents... Each XAML page contains one or more elements that control the layout and behavior of the page. You arrange these elements hierarchically in a tree. Every element has only one parent. Elements can generally have any number of child elements. However, some element types -- for example, Scrollbar -- have no children; and other element types -- for example, Border -- can have a single child element. Each element name corresponds to the name of a managed class. Adding an element to a XAML document causes the runtime to create an instance of the corresponding class... A XAML page typically begins with a panel element. The panel is a container for a page's content and controls the positioning and rendering of that content. In fact, when you display anything using XAML, a panel is always involved, although sometimes it is implicit rather than one you describe explicitly. A panel can contain other panels, allowing you to partition the display surface into regions, each controlled by its panel... XAML has all the controls you've come to expect from Windows -- buttons, check boxes, radio buttons, list boxes, combo boxes, menus, scroll bars, sliders, and so on..." General references in "Microsoft Extensible Application Markup Language (XAML)" and in "XML Markup Languages for User Interface Definition."

  • [December 16, 2003] "BitTorrent and RSS Create Disruptive Revolution. XML Syndication and Peer-To-Peer Meet to Extend the Power and Efficiency of Web-based Information Distribution." By Steve Gillmor. In eWEEK (December 14, 2003). "Disruptive technologies are born for all sorts of reasons -- good ideas, market pressure, economic opportunity, and sometimes just plain luck. Many of today's disruptive leaders only emerged when combined with other seemingly unrelated inventions. Wi-Fi and broadband (DSL and cable but not satellite) have prospered in a mutually symbiotic fashion. So too have weblogs and RSS. For newbies, RSS feeds are XML text files generated by blogs, websites and other web servers that desktop clients -- called RSS Readers or Weblog Readers -- download on a set schedule, usually once an hour. As RSS gains momentum, it begins to strain the boundaries of its current infrastructure. Feeds are increasingly containing full text, graphics, and even multimedia files. Strict constructionists are bemoaning the trend, suggesting that syndication is all about signaling rather than transporting. Those of us who've moved to RSS as the gateway to as much information as we can filter reject that notion... RSS has forever altered the way I acquire information, and its disruptive quality can surely bond with another such technology to conquer this bottleneck... One such candidate is peer-to-peer, as resurrected in the form of Bram Cohen's BitTorrent. It's an elegant protocol for distributing files, one that takes advantage of 'the unused upload capacity of your customers.' BitTorrent breaks up files into shards that are uploaded around the network as the file is downloaded by multiple clients. The more popular a file, the more endpoints exist. You download a file with BitTorrent by simultaneously collecting shards, assembling them together locally as they arrive. Map this to RSS feeds: the more popular the feed, the more nodes on the network serving pieces of the feed. That would allow rapid downloads by many users by distributing the data across multiple sites. It's a digital Robin Hood, redistributing the wealth from the server to a network of peers. Bi