August 10, 2006

Why Web 2.0 Needs WS-*

It's good to see the industry finally considering the security implications of some of the emerging "Web 2.0" technology like AJAX.

JavaScript Security Vulnerabilities: Weakness in Web 2.0

A glaring spotlight is now focused on vulnerabilities inherent in a key enabler of the new breed of dynamic Web pages.
Demonstrations at last week's annual Black Hat conference employed Web-page-embedded JavaScript to attack corporate servers.

http://www.adtmag.com/article.aspx?id=19036

To me, the above article reminds me that any time you get past the simplified proof-of-concept technology demos, you very quickly start to hit the point where your communications infrastrucuture needs to provide "enterprise-grade" quality-of-service capabilities such as message security and reliability. In my experience, by far the easiest way to provide those communication QoS capabilities is by using a protocol architecture and tooling that was designed from the start with that incremental composition in mind.

The cost of incrementally adding (say) message -level encryption using WS-Security to an existing SOAP Web Service is negligably small (roughly one extra line of code or XML element block in your config file with Windows Communication Foundation). Compare that to the cost to add message-level encryption to a REST/POX/AJAX communications infrastructure, and I suspect that there are several order-of-magnitude differences in the effort required.

Then consider adding end-to-end message reliability as well as security, and I think your mind may well explode without a composable protocol architecture like WS-*.

As Tim Ewald has said in the past, you're best to pay the "SOAP tax" up front. Then reap the substantial composition / expansion benefits earlier as your communications requirements mature and progress.

While I recognise that there are some very valid applications which can be written using REST / POX / AJAX, I guess my "not enterprisy enough" speculation above is why Stefan Tilkov has me firmly in the WS-* Supporters camp.

And, as if to underscore why I don't see the REST / POX / AJAX "religion" achieving too much traction among enterprises, try explaining the phrase "The Web is All About Relinquishing Control" to any corporate security manager!


Posted by Jorgen Thelin at August 10, 2006 01:53 PM

Comments
I think there's little doubt that in the rush to exploit technologies like Ajax, issues like security get overlooked. But this says nothing over whether hype-trendy Web 2.0 or starched-shirt WS-* technologies are fundamentally better for a given purpose. Basically I think the security issues around Ajax are a red herring. The argument that WS-* infrastructure is better for incremental composition falls at the first hurdle. The protocol infrastructure that Ajax and most RESTful services build on (and most WS-* systems)is HTTP, which is designed to be extensible and fully supports incremental development. The step from the base HTTP to Indigo is hardly a small increment, as you acknowledge when referring to the "SOAP tax". So talking increments, if you want to add e.g. message encryption, wouldn't it be less costly to add just a suitable encryption library, rather than a whole infrastructure stack plus that one line of code? In generally issues like security are easier to manage in systems with fewer moving parts. Surely the adoption of a big complex and opaque toolkit is inviting trouble. Wrapping the wire protocol in layers of packaging as a means to run the data through the chosen codec may look convincing to corporate security managers, but the additional complexity will make it harder in practice to determine how secure the system actually is. This is getting pretty close to security through obscurity. Direct provability is replaced with trust in the tool vendor. Also your points would be more convincing if it didn't seem pretty apparent that the REST / POX / AJAX "religion" has actually achieved considerable traction among enterprises. After all, the vast majority of the current web works on a simple RESTful GET (with the occasional POST thrown in for good measure). Are you suggesting the Web itself is "not enterprisy enough"? Posted by: Danny Ayers on August 11, 2006 10:22 AM
Will Security Worries Dull Ajax's Cutting Edge? by Jay Lyman, LinuxInsider - http://www.linuxinsider.com/story/tTMIA0fEDGb83T/Will-Security-Worries-Dull-Ajaxs-Cutting-Edge.xhtml Posted by: Jorgen Thelin on October 11, 2006 02:55 PM
Post a comment