Currently Microsoft is working on a sample application that is compliant with the WS-I Basic Security Profile (BSP). This sample application shows you how to build secure web services using WSE. Besides this, the sample also demonstrates interoperability issues and gives some guidance on how to design services that can evolve technology changes by separating the business logic from the transport.

The sample is a “preview release” because the BSP specs don’t have the final status yet. The preview is built using Visual Studio 2003 and WSE 2.0. The final release (which will be available after the BSP specs are final) will be implemented with Visual Studio 2005 and WSE 3.0.

I was one of the lucky ones (J) participating in the reviewing team. So, I had the change to look at the code in an early stage and provide some feedback. I think that this sample is definitely worthwhile spending some time on for anyone interested in web service security and interoperability.

 The sample application will be available somewhere in the coming weeks. Today there is already a webcast available from the Patterns and Practises live site (direct link WS-I BSP webcast) for download. Go check it out!

Currently, one of my colleagues is working on a small assignment to investigate the possibilities of Microsoft Information Bridge Framework (IBF) when it comes to exposing web service functionality to end users. The main goal of this investigation is to determine if IBF is able to communicate with the web services that apply to our internally used reference architecture.

Personally I am not very impressed by IBF yet, but that’s probably because I know very little about this tool. What I do know is that Microsoft is positioning this tool as a key player in its “information worker” marketing strategy so it must be good! For me this tool is just another way to make sure the end user (or should I say Information Worker) continues using the Microsoft Office suite which is probably one of the most important products for Microsoft’s profit. Another thing I know is that many people (especially managersJ) see a lot of opportunities for this tool so we decided to give IBF a fair change.

Therefore my colleague was asked to test if IBF is capable in communicating with “secure” web services. In our case this means that IBF has to communicate with web services that use SOAP headers to support sending “user token” information. After some investigation it turned out that IBF cannot handle SOAP headers (or at least not populate the headers in a “flexible” way). Because I found this very hard to believe I did a quick search on the internet and all found was the capability of IBF to handle “transport layer” security. I noticed that there is very little information available on the internet related to IBF and security. In my opinion using SOAP headers is kind of straight forward when it comes to web services, but I might be wrong.

Is it true that IBF doesn’t support SOAP headers? If so, will this be supported in a next release? If not, IBF is definitely no option for us (at this moment).

If there is anybody out there that can point me to some more information about this, please let me know!

It’s been some time since I have written anything on this blog. I have been busy in the start up phase for some projects. For one of the projects I will be assigned to in the near future, interoperability and web service security will be a big issue. To refresh my memory I decided to go through the Basic Profile 1.0 (BP) specification once again. This profile provides implementation guidelines that help you build web services with maximum interoperability. The web services interoperability organization (WS-I) provides sample implementations (build by different vendors) that demonstrate web service interoperability across the different platforms.

Currently the WS-I is working on the Basic Security Profile (BSP), which covers building interoperable secure web services. The BSP covers guidance for both transport level security and (soap) message level security. Personally I am more interested in the message level security issues. To understand the BSP better I am also spending some time again on the WS-Security specs which describe in detail how to secure web services on the message level. Of course when thinking of web services and security in a Microsoft world we cannot forget WSE, so that is also on my ToDo list again.

At first, reading through these WS-* specs and profiles doesn’t seem very interesting but having a detailed look at the implementation that is available (WSE and BP 1.0 sample application) makes life a little more interesting. After having spent some time on it I even start to like it. So, maybe I’ll be back with more info about web service security soon. (I promise I’ll try to make this blog not more boring than it already is).