Having one's cake and eating it too

"Out of the box", exactly what security mechanisms does <a href="http://www.oasis-open.org/committees/download.php/16790/wss-v1.1-spec-os-SOAPMessageSecurity.pdf">WS-Security</a> provide?

Sam,

Without a mechanism for getting a token, not much.

I typically think of WS-Security and WS-Trust as a unit, but you are correct, they are distinct.

DB

Well, the theory is that RFC2617 should decouple the URI space and so on from the necessary authent dialogues. The GData people claim that their authent, for example, is 2617-compatible; and Joe Gregorio is shipping code that claims to make it transparent, assuming you have a general-purpose 2617-style dispatcher in your code.

Having said that, in general this is in fact something of a bleeding sore. It's exacerbated that security groups are highly empowered and tend to say "You must use THIS, screw standards".

OK, add WS-Trust then.

Using only those two specs, what "ValueType" does one use for Kerberos? X509?

Can't hold it really, here's my most sincere thought!

3. Do the vested interest of owner/operators justify industry-wide waste of money, space and time while those same guys actually build those service on top of protocols that are nowhere close to HTTP at the back end.

4. Do the same guys giving me that same service: corrupt my money balance, pictures, contacts, give me crashes, you name it? It is not just security, it is reliability, NIH-programatic usability and maintainance (of decent throughput and costs too).

Otherwise, what on earth are those APIs for? For vested interest in HTTP? Of course not.

So if there is a custom protocol for each hop, what can be done if there is no uniform and extensible header information? Parse the bodies like no HTTP proxy in the world does properly? And then infer some nonsense?

Just because HTTP fabric is free out there on the Web, and WS doesn't have full hardware backing (that it should to succeed really IMO), then really we are just hacking on top of HTTP, which is not much different than hacking TCP and byte streams HTTP is built on while imposing some iditioc restrictions on many systems, namely request/response and plenty of other junk , I am not even talking of payload.

I am particularly psd off at REST proponents which I know of only talk and build form toying (no great app really) with allRESTshabangNULLsystem, and run consultancy shows in big houses or privately. Yeah it works for some systems but they are no Google scale are they?

I am also very pleased to see nothing good done in WS and MS world to reduce junk and crypt-my-W3C-spec detail on the wire and integration development efforts.

Unjustified stateless religion in all stateful world with boundaries an idiotic protocol makes even harder to mould, what a great future we have.. hope that hurts the purity lovers :-)

And sure, here comes someone saying Web is the most scalable systetm known to man, because it is REST.. no it isn't. It is because it has infrastructure behind it and a better one can be made, like my girlfriend can make a better cake after 5000 attempts.

Ctrl+C

Facebook et al remind me more and more and more of AOL in the glory days, down to Open Social as the new Magic Carpet, father of Liberty Alliance. When the eyeballs are your business trusting that identity and authentication layers that really are standards will bring in as many people as leave in the revolving door is a scary thought if you don't actually understand network effects. This is a lot more political than technical in many ways.