Friday, September 17, 2004

The state of the WS-* stack

If you've been reading my updates you will know that I've been very concerned about the status of the WS-* stack (the set of standards that can be implemented on top of the basic Web Service standards of SOAP, WSDL and UDDI).

My major concern has been that you cannot currently describe a service that utilises any more than the basic standards, my main case in point was that there is no standard way in WSDL to describe the WS-Security requirements of a service.

Since those recent postings, and the release of the WS-Reliability first draft, I've been catching up on the state of the various WS-* stack standards. Here is what I've found, some of which is definately not good news.

Firstly, here is a pretty good overview of the various standards:

The Web Services Protocol Stack

Next, going back to the WS-Security example that I have talked about before. My problem with this was that there appeared to be no way to describe the WS-Security requirements of a service in the WSDL file, and therefore no way to programatically create clients for that service without some form of human intervention.

After doing some research, which I should have done before, I now understand what is going on. I think my problem was in the fact that WS-Security is now an OASIS standard, but it had originally come from the Microsoft/IBM camp. In the MS/IBM camp, the prefered way of dealing with programatic descriptions of WS-* stack requirements is place the information into WS-Policy xml.

WS-Policy is simply a framework to contain policy assertions, these are standard specific and are described in other documents (for example the WS-Security Policy standard).

WS-Policy in itself does not describe a way of attatching the policies to service descriptions, this is dealt with by the WS-PolicyAttachment standard. In this standard there are descriptions of how to attach WS-Policies to both WSDL and UDDI.

Now I like the WS-Policy framework, I think it is nicely lightweight in its core specification, nicely extended for the standard specific assertions and I also like the separation of the attachment details. However this does not solve the WS-Security issue.

You see WS-Security is now an OASIS standard, but WS-Policy has not yet been submitted. So while we are all agreed on how to implement Web Services security, we have no (independantly standardised) way to attach these requirements to our service descriptions.

I need to do more thinking about this, but I am wondering where we go from here. In my mind I am formulating what I see as the WS-* stack Base Implementation, the minimum set of standards that need to be implemented before Web Services become truely usable for industry, and the more I look into it, the further away this goal becomes.

Anyway, time for Friday drinks in the pub. I will post more on this later, including any findings on the MS/IBM camp WS-ReliableMessaging standard verses the OASIS WS-Reliabillity standard.....surely things can only get better!