WS-Security and WSDL
One of the promises of Web services is to be able to loosely couple the end points and allow the
publishing of services in UDDI directories that can be discovered and invoked dynamically at run
time. Unfortunately, at this point in the technology life cycle, the use of WS-Security in the SOAP
message header prevents us from being able to do this. Today’s Java to WSDL emitters are not yet
able to handle the creation of WSDL documents that appropriately describe the WS-Security
requirements. Plus, even if they could, at this stage, development tools such as WebSphere Studio
Application Developer or Visual Studio .Net couldn’t generate the proxies that handle the WSSecurity
aspects of the service.
As such, the developers of Web services in early 2003 will need to make a conscious trade-off here.
When WS-Security is used, the service provider needs to either provide stubs/proxies which partners
can invoke that handle the WS-Security portion of the message or manually communicate the WSSecurity
requirement of the Web service to their potential business partners and customers. For
the WS-Security-based project described in this paper, proxies that properly sign the message and
insert the WS-Security element into the SOAP data stream were created for Java technology, COM,
and .Net clients. The next generation of Web services development tools from IBM and others
should be able to handle the WS-Security elements of a Web service, but for now, developers need
to understand that this is an achievable, but manual process.
This paper described an Internet-based Web services application that was developed and deployed
in 2002. It was deployed on a WebSphere Application Server and is available for use by our
customer’s business partners. It demonstrates the soundness and overall viability of the draft WSSecurity
specification by offering itself as a proof-point that secure, mission critical, Web services
applications are viable with today’s development tools and deployment platforms. Yes, in our
customer’s case, some non-automated, manual steps were required to handle the WS-Security
element of our SOAP message, but as support for WS-Security gets folded into the next iteration
of the WSDL specification and support is added to the Web services development tools of many
vendors, it will only get better.
2008 | Java Jazz Up |33