Tool eases move to Liberty 1.0
Web services application developers working to implement the XML-based
Liberty 1.0 security specification from the Liberty Alliance need flexibility in
implementation, according to Roger Sullivan, president of Phaos Technology
Wall Street-based Phaos, which released a Java-based toolkit for implementing
Liberty 1.0 this month, is responding to developer demands for flexibility, said
Sullivan. The Liberty 1.0 standard, created by the Liberty Alliance, aims to let
users store personal preferences identifiers. The group was formed by Microsoft
competitors like Sun, Novell and Oracle along with several user organizations to
counter Microsoft's Passport effort.
''One of the early customers for this toolkit is a manufacturing consortium
that is putting together an application that will allow them to communicate with
agents around the country,'' Sullivan said, noting that the undisclosed firm
sought to link agents to data on credit information, loan applications and the
like. He maintained that the Phaos Liberty-compliant toolkit enabled the firm to
build the application as they wanted.
Ari Kermaier, senior software engineer at Phaos, described his company's
toolkit as ''a set of class libraries and a Java API in terms of which the
developer can program his application, similar to the way the Sun JDK gives you
class libraries for collection classes like hash tables. [It] provides class
libraries for security and, in this case, for the message classes and message
structure for Liberty. Those sit on top of more general class libraries for
SAML, of which Liberty is a profile, and it also includes libraries for basic
XML security such as signed documents, encryption and SOAP Security.''
The Phaos Liberty Toolkit is not an end-to-end solution, Kermaier said,
because that would limit how the developer could implement it in applications
requiring single sign-on and other security technologies. The toolkit implements
all the message constructs of the Liberty specification so that programmers can
exchange the Liberty specification messages for whatever application they are
focusing on, such as single sign-on, he said. ''We've also implemented the
transport bindings for SOAP and HTTP. What we haven't done is integrate it into
a fixed end-to-end solution the way some of the larger vendors have. We've left
it flexible so that programmers can tailor it to their individual situation and
perform the message exchanges they want to perform.''
Phaos' Sullivan argues that providing this kind of flexibility in
implementing the Liberty Alliance vision of Federated Identity is the most
realistic approach to Web services security.
''We think, frankly, as people are feeling their way to implementing these
Federate Alliance authentication models, they will want more flexibility rather
than less,'' Sullivan said. ''Everyone has evolved their own business practice
over 20, 50, 100 years. And we're not going to be able to flip a switch and have
everyone in the Federate Alliance work in the same way.''
In addition to vendors like Sun and Oracle, the Liberty Alliance includes
user companies like American Express, AOL Time Warner, Bell Canada, Citigroup,
France Telecom, General Motors, Hewlett-Packard Company, MasterCard
International, Nokia, NTT DoCoMo, Openwave Systems, RSA Security, Sony Corp.,
Sun Microsystems, United Airlines and Vodafone.
For more information click on http://www.projectliberty.org or http://www.phaos.com.
Rich Seeley is Web Editor for Campus Technology.