Dev Blog - Johan Danforth

I got this page from Jan-Erik, and it looks really fun. Real Life PACMAN around Washington square park! And it is software-related too! ...sort of ;) Quoted from their webby:

Pac-Manhattan is a large-scale urban game that utilizes the New York City grid to recreate the 1980's video game sensation Pac-Man. This analog version of Pac-man is being developed in NYU's Interactive Telecommunications graduate program, in order to explore what happens when games are removed from their "little world" of tabletops, televisions and computers and placed in the larger "real world" of street corners, and cities.

A player dressed as Pac-man will run around the Washington square park area of Manhattan while attempting to collect all of the virtual "dots" that run the length of the streets. Four players dressed as the ghosts Inky, Blinky, Pinky and Clyde will attempt to catch Pac-man before all of the dots are collected.

Using cell-phone contact, Wi-Fi internet connections, and custom software designed by the Pac-Manhattan team, Pac-man and the ghosts will be tracked from a central location and their progress will be broadcast over the internet for viewers from around the world

Note: This is just a reflection, not a full comparison between the two. I don't have time to do a full review of JAX-RPC I'm afraid ;)

I dedicated yesterday to looking at JAX-RPC, which is supposed to be a pretty good and standardized way to build web services in Java. I didn't want to use a vendor specific implementation of JAX-RPC, so I downloaded Java Web Services Developer Pack (Java WSDP) from Sun, which has a decent tutorial and numerous examples. It took some hours to get everything going, but the Java WSDP has EVERYTHING you need to get going, except for the Java SDK and a proper editor.

Well what can I say. It's far from simple. Without proper tools that does the mapping and generation of class-files for you, it is more or less a mess and it's a total pain compared to how easy it is on the .NET platform. Even if you're not using VS.NET and doing it by hand using Notepad.

Good things about JAX-RPC is that most things seems to be doable with it. The coding part is dead easy and you can do Handlers (just like SoapExtensions in .NET) and stuff too. I noticed that default encoding seems to be rpc/encoded though.

What I need to stay sane is a good JAX-RPC plugin to intelli-j, eclipse, NetBeans or something. I'll continue to write small stuff about what I find in this field.

Architect Webcast: Securing Web Services (interwise recording)

Support WebCast: Introduction to Microsoft Web Services Enhancements (Windows streaming media)

This one is good if you've been into soap headers and such before:

Support WebCast: Microsoft ASP.NET: Advanced XML Web Services Using ASP.NET (Windows streaming media)

And this is an older, but very good article that describes the different proposed security specs around web services.

If you know of good webcasts about WS-Security, please comment.

If someone out there missed it :)

"Web Services Security 1.0, the foundation specification for creating a security infrastructure around Web services, officially became a standard Monday, paving the way for corporate adoption."

InfoWorld April 20, 2004 

One of many articles is available here.

Stuff I found while surfing last night...

Links about MCAD certification and such: http://www.codeclinic.com/certification.htm and  http://weblogs.asp.net/pscott/archive/2004/04/13/112235.aspx

Some good links and articles about WSE and WS-Security: http://www.bristowe.com/articles/

A gazillion webcasts on MSDN: http://msdn.microsoft.com/library/default.asp?url=/seminar/mmcfeed/mmcdisplayfeed.asp

.NET webcasts on MSDN: http://msdn.microsoft.com/library/default.asp?url=/seminar/mmcfeed/mmcdisplayfeed.asp?lang=en&product=103364&audience=100402

About the (no) need to set objects to nothing in VB: http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&threadm=953vib%24q24%241%40nnrp1.deja.com&rnum=21&prev=/groups%3Fq%3Dmatt%2Bcurland%2Bnothing%26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26start%3D20%26sa%3DN

MSDN Webcast archive: http://www.microsoft.com/seminar/events/webcasts/library/default.mspx

Software Fortress Model (SFM) by Roger Sessions (Objectwatch)

Using Role-Based Security with Web Services Enhancements 2

SoapHandlers in Weblogic 8.2

JAX-RPC at Sun

Eclipse plug-ins

Lobaz docs and something about eclipse and web services with axis

I'm having a hot discussion with a fellow at work about different ways to protect a Web Service and we're of course having different opinions about this. If you look at the Web Service method or end-point as a resource available on a network and you want to protect that resourse from being called by someone who isn't allowed - how should you do it?

My friend works for a LARGE company that has a web access management product and he is a product specialist, and this product is pretty good at protecting URL sources. So, he naturally suggests that we use this product and put an access layer in front of all our Web Services. Each Web Service proxy/client must then add a special HTTP header or encrypted cookie that this access management agent looks for before it's allowed to access the service method. Each Web Service method has a unique URL or URI so we just configure it as a protected resource in the access management catalogue and put it's agent (which is a ISAPI filter) on each Web Service server. We don't want to protect the resource with basic authentication because we prefer not to store uid and pw on the machine. Each end user will be using a web browser and also be authenticated through this product, so each user will have a unique and encrypted cookie which can be used to protect each Web Service as well.

This will probably work pretty fine, and you get rid of access management stuff from the Web Service implementation. But I don't like this solution, for several reasons, but mainly: 

1. I personally believe that each service should be autonomous and take care of it's own user authentication. In this case I would send the user id as an encrypted token in a SOAP header or implement WS-Security, and do user authentication in a SOAP filter or similar so that Web Service method implementors didn't have to worry about it. Keep out of band data away from message implementation. Besides, isn't this what WS-Security is all about?

2. I don't like to have HTTP headers or cookies added to the SOAP message. Doesn't that make you transport protocol dependant? What if the services were moved to the back end of MQ or something similar in the future?

What do you think? Do you see any other reasons to use or not use an access management layer in front of and separated from the Web Service?

If you know about any good resources on the Net (papers, talks, web cast etc.) that brings this matter up, please write a comment about it. Pat Helland talks much about autonomous services and fiefdoms, and how they should take care of everything themselves, but I've not read or heard much about protecting access to Web Services.

The security guys here also banned access to the soap chat server I set up on the Internet to be able to chat with my old pals... correct, they don't allow Messenger or any other chat-programs. I know I'm not allowed to do chat-stuff over the Internet according to the IT-rules here, but gaaaaahhh!!! I must be able to chat a little with my friends, my mailbox is flooding as it is already!

I'm thinking of moving my chat Web Service (which is already protected by userid and password in a SOAP header) to another location and encrypting the messages. How hard can it be in .NET?