email article printer friendly

Secure Web Services Across Platforms
BEA's CTO Scott Dietzen talks about integration and security across the .NET/Java chasm.
by Elise M. Peterson and Lee Thé

BEA is a force in the Java world; its product line includes the WebLogic Server, Portal, Integration, and Workshop, along with the older Tuxedo application management environment. BEA matters to many .NET development groups because they're often called on to integrate their applications—particularly .NET clients—with Java-based servers and Web services such as BEA's and IBM's. Heterogeneous systems represent a critical security arena, and BEA's Fortune 500 customer list means the company has to actively pursue standards-based security solutions. BEA has been a leader in this area, so it made sense for .NET Magazine to talk with CTO Scott Dietzen about integration and security across the .NET/Java chasm.

The lack of security in the Web services model has been seen as a significant barrier to their acceptance in the enterprise. The introduction of a number of standards in this area appears to be setting the stage for big changes in the way Web services are leveraged, both inside and outside the firewall. .NET Magazine talked with Scott Dietzen, CTO of BEA, to get his inside perspective on what you can expect to see with the future of Web services security.

.NET Magazine: Surveys throughout the industry show that integration is a primary concern of IT departments. Do you believe Web services have everything necessary to enable the integration to alleviate their concerns?

Scott Dietzen: Certainly, over time, I believe that will be the case. We actually coined the term "Web 2.0" to talk about the Web services movement. The Web to date has just been about the user interface—putting a browser in front of data and applications. But by some accounting, 70 percent of discretionary IT dollars go to trying to integrate systems. And we've watched our customer base get much more sophisticated. Now, before they buy or build an application, they want to understand the integration costs required to get that application to work with the rest of their environment.

So there's a compelling need that IT now understands a lot better. There is no "Microsoft of integration," if you will, because this is such a large and pervasive business. We need standards to make it work—just as we did around the Web.

We're convinced Web services represent that movement. But it's also fair to say that there's more work to be done. I generally tell customers it's a pretty safe bet that they'll find interoperability between .NET and the Java world anywhere inside the core Web services stack validated by the Web Services Interoperability Organization [WS-I; see www.ws-i.org]. SOAP and XML schema and WSDL [Web Services Description Language] are working fine today.

In fact, recently, I did an ad-hoc survey of 40 of our high-end customers at our user group for an architectural summit. And all of them claimed to have Web services in production, both for transactions and queries. Most interestingly, two thirds of them claimed to have interoperability between .NET and Java in production, using Web services. That was exciting and gratifying to see.

Now on the reverse side, there are still outages. We're closest to closing the ones covered by the WS-Security Extensions [including Policy, Trust, Secure Conversation, and Security Policy]. We're also working on guaranteed delivery, also known as Reliable Messaging. This WSRM specification will enable you to send an order or [stock] trade and guarantee its reception at the other end—even over the Internet. Web services don't do that today. A supporting specification, WS-Addressing, will help.

One security extension we think is crucial is WS-Policy. This helps us define more quality of service criteria around Web services, so we know a system speaks to other systems, and we can be assured they work seamlessly together.