Vikas Jain

Subscribe to Vikas Jain feed
A blog of SOA and web services security technology I'm working on ...
Updated: 3 hours 52 min ago

RESTful STS

Wed, 2010-02-03 14:52
Secure Token Service (STS) typically have a SOAP endpoint with WS-Trust standard profiling the interactions. How about taking the complexity of SOAP away, and adding simplicity of REST interface to the STS? At the end of the day, STS is a token service that applications use to acquire tokens and should be accessible through different types of bindings - SOAP, REST, etc.

What would be the interaction pattern for such RESTful STS?
  1. Clients access RESTful STS using HTTP GET/POST method sending RequestSecurityToken (RST) as part of HTTP message.
  2. RESTful STS sends back the requested token as RequestSecurityTokenResponse (RSTR) in the HTTP response message.
  3. The STS endpoint could be secured similar to any HTTP resource using web access management products such as Oracle Access Manager (OAM) with username/password or certificate credentials.

RESTful STS can lead to wider adoption
Many languages/frameworks (such as Adobe Flex and Silverlight) doesn't support full capabilities of a SOAP stack. But, they support the basic HTTP interactions. Such frameworks could easily plug into a RESTful STS for their token needs.

Applicability of RESTful STS in the cloud
As cloud remains the innovation vehicle for 2010, I try to find applicability of any new concept into the cloud as well.
Today, Google, Amazon, Salesforce of the world provide RESTful APIs for all it's services. If they decide to broker trust using some sort of STS, then it makes perfect sense for them to provide RESTful STS with API keys and OpenId/OAUTH models to access it.


OER 11g released

Mon, 2010-02-01 02:23
Oracle Enterprise Repository (OER) 11g is released and generally available for download now. OER alongwith OSR (UDDI registry), OWSM and EM SOA Mgt Pack Plus comprise Oracle's SOA Governance offering. Of all the new features added in this release of OER, there's one feature around closed loop governance that I would like to discuss in this blog.

Closed loop governance allows architects to review at a high-level how the system and services they designed are behaving in production, and with this knowledge further enhance the services in their subsequent versions. It provides confidence and production assurance to business people that the investments they have put in SOA is actually being put to use.

In this release of OER 11g, high-level performance metrics from Enterprise Manager (EM) and 3rd party products such as Amberpoint are rolled up into OER.

Through the same pattern, do you see a need for rolling up policy attachment info from OWSM into OER?

See more of "What's New in OER 11g" here.

Oracle + Sun: Identity Management Strategy webcast

Fri, 2010-01-29 15:47
Watch Oracle + Sun identity management strategy webcast by Oracle executive Hasan Rizvi, Sr. VP
http://oracle.com.edgesuite.net/ivt/4000/8104/9236/12628/lobby_external_flash_clean_480x360/default.htm

Oracle + Sun Strategy Webcast

Wed, 2010-01-27 18:57
Oracle + Sun Strategy Webcast was done by Oracle/Sun executives today.
Hope you got a chance to attend it live. If you missed it, check back the link in couple of days when the recording would be available for on demand viewing.

HowTo - OWSM 11g: Creating custom policy assertions

Wed, 2010-01-27 18:53
Similar to OWSM 10gR3, you can extend OWSM in 11g using custom policy implementations.
From terminology perspective, OWSM 10g custom policy is similar to OWSM 11g custom policy assertion.
Here are some quick links that may help if you plan to implement custom policies.
  1. Refer to Creating Custom Assertions section of OWSM product documentation
  2. Refer to Java API reference for available APIs
  3. Step by step How-To guide on building a sample custom assertion, deploy, and test it


Pages