Kit helps you to create safe "Liberty" Web services
- By John K. Waters
[PROGRAMMERS REPORT, November 5, 2002] -- Web services protocols promise loosely coupled application integration, but
securely authorizing and authenticating users as they navigate Web services apps
could be a programmer's nightmare. While bits and pieces of identification
infrastructure could be assembled from specs in the past, one firm has focused
on tools that ease security development for Liberty Alliance Web services
Secure and reliable management of Web-based identification and authentication
is the very raison d'etre of the Liberty Alliance Project, a coalition of
companies formed last summer to deliver and support a federated network-identity
solution for the Internet that enables single sign-on for consumers and business
''The idea is to create standards for identifying users the first time they
log on and then letting other sites recognize and authenticate the user,''
explained Roger Sullivan, president of Phaos Technology. ''Security is an
essential component of any commerce activity on the 'Net, and that's what this
federated alliance is driving toward.''
Phaos was an early supporter of the alliance. The New York-based company
released a toolkit for developing applications based on the Liberty
specifications last July, just about the time the specs were announced.
Recently, the company released the 2.0 version of that toolkit. The Phaos
Liberty Toolkit supports Liberty's sign-on authentication and authorization
specifications. The Java-based toolkit allows developers to build single sign-on
support into apps, and supports the consolidation of multiple enterprise
authentication schemes via new XML-based Web services architectures. The toolkit
also supports XML digital signatures and XML encryption.
The company also announced the Phaos XML Toolkit 2.0, a Java toolkit for
building secure XML-based apps, as well as Phaos SAML 1.0, which provides a
protocol to communicate assertions of an entity's security attributes,
authentication and authorization.
''What we provide is what we call the Liberty service-enabling components,''
Vamsi Motukuru, CTO at Phaos, told Programmers Report. ''Our toolkit allows you
to create the Liberty protocol messages and provides support for exchanging
these messages. It allows you to create, say, a single sign-on request message.
It provides various security options, like signing or encryption.''
Motukuru said the software also provides integrated functionality that
supports SOAP message transport over SSL connections. The software can also take
advantage of cryptographic hardware to perform security operations.
The brainchild of Sun Microsystems, the Liberty Alliance spec is an
alternative to Microsoft's .NET Passport initiative. The group's main goals are
to solve authentication problems for users logging on to Web services.
''The Liberty SDK gave customers a collection of tools from which they could
build their own Liberty-compliant application,'' Phaos Technology's Sullivan
said. ''All the components were there, but [developers] had to put them together.
With this toolkit, we've assembled the pieces into a unified collection to make
it easier for them to build a Liberty-compliant application.''
A time-limited evaluation copy of the Phaos Liberty Toolkit is available for
download at http://www.phaos.com/products/liberty/liberty.html.
For other Programmer Report articles, please go to http://www.adtmag.com/article.asp?id=6265
John K. Waters is a freelance writer based in Silicon Valley. He can be reached