Database Reference
In-Depth Information
OWSM supports SAML, so brokered authentication and an Authorization pattern can be
supported as well. It all sounds good. However, there are some other requirements that
should be taken into consideration, shown as follows:
• OSB is an SE on top of WLS with connection to the DB (in the full version).
With so many moving parts (
OS + JVM + WLS + OSB + OWSM
and DB some-
where nearby), will you consider moving it to the DMZ, as security perimeters
should be in front of the firewall, not behind it?
• The conventional XML parsers and validators do the XML validation. They are
quite well-known and have been exposed to very thorough scrutiny with not al-
ways good intentions. Naturally, the XDK development is mostly focused on
functionality first, good performance after that and, honestly, security is not given
highest priority as the performance's natural enemy. Would you consider putting a
functionally brilliant but potentially insecure XML validator as your northbound
XML Gateway?
• Talking about performance, we have to admit that conventional validators and
transformation engines are not the best players. A secure perimeter should be con-
sidered as a corporate asset, common to all projects and products. It's not that un-
common to have about 10 K tps with a 5 K SOAP message per single node (VM
2CPU 8 GB).
Yet another architectural approach should be evaluated. The security perimeter is an ESB
with all common features as we mentioned before. It can perform service brokering, medi-
ation, and protocol bridging, both for message and transport protocols, and can also apply
corporate policies (with security in mind first). Thus, for the external services, the presen-
ce of this framework makes the conventional
Enterprise Service Bus
(
ESB
) handling the
Enterprise Business Services
(
EBS
) layer quite superfluous, especially from a perform-
ance point of view. At the same time, services with outbound-only MEPs can reside in the
conventional EBS layer and employ security features of OSB, whether it's possible from a
functional and/or performance point of view.
Functionality specific to the
security perimeter
(
SP
) ESB is expressed by the following
SOA security patterns, specific to a service message in transit for transport and message-
based security:
•
Message screening
: We must prevent the infiltration of insecure message content
through SP. One of the measures addressing it is XSD-based validation, which
could be ineffective in the case of a conventional XML processor.
•
Exception shielding
: We must prevent the exposure of a service's error stack
trace to the outside world. SP is not the optimal place for this, as the service itself
Search WWH ::
Custom Search