XML Developer Tip
(Receive this column in your inbox,
click Edit your Profile to subscribe.)
Implementing XML security
The topic of my last tip was an overview of XML security standards and specifications that described the building blocks whereby programmers or content developers could include major security components within XML applications. Not surprisingly, this unleashed a torrent of questions as to where individuals could go to find tools and APIs that would permit them to employ these capabilities in their own XML applications.
Thereby hangs an interesting tale, and some great future opportunities for further XML infrastructure development. This tale is interesting in part because there aren't too many mature or even well-defined development tools for incorporating XML signatures (and related components like certificates, public/private key pairs, and private key exchange to support encryption services). It's also interesting because the customary methods to incorporate such capabilities into any XML-based application may not yet work—simply because the APIs and tools currently available are wedded to specific Web server platforms or products sets.
In general the process of building a secure XML application might incorporate numerous XML applications in something like the following order:
- A requester of secure services presents a certificate as proof of identity
- The certificate is checked against a trusted certificate authority
- Assuming the certificate is good, the request is subjected to the service's access controls
- If the request is granted, the server uses secure key exchange (also based on the requester's certificate) to provide a session key for encryption
- The actual secure session begins, and encrypted data moves between requester and server until completed
But in the absence of general-purpose implementations or APIs to provide such applications, certain tradeoffs or compromises become necessary.
My research into working implementations shows me that significant research and development on this topic is still underway. The furthest progress in constructing such environments appears to involve the Apache Axis Framework (which provides SOAP messaging capabilities) and a related (but non-standard) XML Security package. Sun and IBM also appear to be investing significant effort in making the kinds of security capabilities that standards and specifications indicate ought to be available, actually usable in real-world implementations. Useful developer offerings include:
- Baltimore KeyTools XML is rather more PKI-focused than purely XML Security focused, but worth a visit
- IBM XML Security Suite
- Entrust, Inc. offers a broad range of security-related XML development tools
- Sun's Java developer tools and APIs include numerous security-related elements (and outright packages for communications, cryptography, secure sockets, and secure Web services)
Based on what I read and see around the Web, however, it's probably going to be six months to a year before truly general-purpose XML Security toolkits become broadly available. In the meantime, the preceding items offer plenty of choices for learning and experimentation. Also, please stay tuned to these sites for more info:
About the Author
Ed Tittel is a principal at LANWrights, Inc., a network-oriented writing, training, and consulting firm based in Austin, Texas. He is the creator of the Exam Cram series and has worked on over 30 certification-related books on Microsoft, Novell, and Sun related topics. Ed teaches in the Certified Webmaster Program at Austin Community College and consults. He a member of the NetWorld + Interop faculty, where he specializes in Windows 2000 related courses and presentations.
For More Information:
- Looking for free research? Browse our comprehensive White Papers section by topic, author or keyword.
- Are you tired of technospeak? The Web Services Advisor column uses plain talk without the hype.
- For insightful opinion and commentary from today's industry leaders, read our Guest Commentary columns.
- Hey Codeheads! Start benefiting from other time-saving XML Developer Tips and .NET Developer Tips.
- Visit our huge Best Web Links for Web Services collection for the freshest editor-selected resources.
- Choking on the alphabet soup of industry acronyms? Visit our helpful Glossary for the latest lingo.
- Visit Ask the Experts for answers to your Web services, SOAP, WSDL, XML, .NET, Java and EAI questions.
- Discuss this issue, voice your opinion or just talk with your peers in the SearchWebServices Discussion Forums.