XML Daily Newslink. Monday, 19 March 2007

[Robin Cover <robin@oasis-open.org>]

XML Daily Newslink. Monday, 19 March 2007
A Cover Pages Publication http://xml.coverpages.org/
Provided by OASIS http://www.oasis-open.org
Edited by Robin Cover

====================================================

This issue of XML Daily Newslink is sponsored by
Sun Microsystems, Inc. http://sun.com

====================================================

HEADLINES:

* Sun To Provide Commercial Support for Glassfish
* WS-Trust 1.3 Approved as an OASIS Standard
* CA Extends Introscope to SOA Management
* Newsmaker: Gosling Looks Down Sun's Open Road
* Expressing Untested And Untestable Constraints in Schematron
* Info Sharing Depends on the Filters

----------------------------------------------------------------------

Sun To Provide Commercial Support for Glassfish
Sean Michael Kerner, Internetnews.com

Sun is ramping up for the final release later this year of its next
generation Glassfish Java EE application server. Glassfish V2,
currently in beta, won't just be for developers but will also be
suitable for full production deployments and will be commercially
supported by Sun. According to the press release: Sun "announced the
beta release of the GlassFish V2, the next major version of the open
source Java EE 5 application server and the release of the Sun Web
Developer Pack, a toolkit designed for simplifying and enabling
advanced rich Internet applications for the Java platform. These
releases help enterprises build and deploy SOA and Web 2.0 applications
and services leveraging next generation web technologies such as Ajax,
Scripting and REST that simplifies development and deployment of
scalable, interactive applications. The GlassFish V2 Beta adds all
the enterprise features from Sun's Java System Application Server
Enterprise Edition, such as clustering, administration, Web Services
Interoperability Technology (WSIT) and load balancing to support highly
scalable, volume enterprise deployments for SOA and Web 2.0
applications. A few of these features include: (1) WSIT integration:
allowing applications to interoperate between Web services hosted on
Java and Windows environments. (2) Java Business Integration (JBI):
providing native SOA support. (3) NetBeans IDE integration: enabling
developers to deploy SOA applications by designing BPEL business
processes as well as building and testing composite applications
with the NetBeans Enterprise Pack. The Sun Web Developer Pack
simplifies access to multiple open source technologies for creating
rich Internet-based applications, REST Web services and RSS feeds
more rapidly. The availability of the Web 2.0 toolkit reinforces Sun's
commitment to provide the developer community with next-generation
Java technologies such as Project jMaki, Project Phobos, Dynamic
Faces, WADL, ROME, and Atom."

http://www.internetnews.com/dev-news/article.php/3666281
See also the announcement: http://www.sun.com/aboutsun/pr/2007-03/sunflash.20070319.1.xml

----------------------------------------------------------------------

WS-Trust 1.3 Approved as an OASIS Standard
Staff, OASIS Announcement

The "WS-Trust 1.3" specification produced by members of the OASIS Web
Services Secure Exchange (WS-SX) Technical Committee has been approved
as an OASIS Standard. WS-Trust defines extensions that build on
WS-Security to provide a framework for requesting and issuing security
tokens, and to broker trust relationships. Specification requirements
included (1) requesting and obtaining security tokens, and (2)
establishing, managing and assessing trust relationshipsThe goal of
WS-Trust is to enable applications to construct trusted SOAP message
exchanges. This trust is represented through the exchange and brokering
of security tokens. This specification provides a protocol agnostic
way to issue, renew, and validate these security tokens. The WS-Trust
specification is intended to provide a flexible set of mechanisms that
can be used to support a range of security protocols; this specification
intentionally does not describe explicit fixed security protocols. As
with every security protocol, significant efforts must be applied to
ensure that specific profiles and message exchanges constructed using
WS-Trust are not vulnerable to attacks -- or at least that the attacks
are understood. Authentication of requests is based on a combination
of optional network and transport-provided security and information
(claims) proven in the message. Requestors can authenticate recipients
using network and transport-provided security, claims proven in messages,
and encryption of the request using a key known to the recipient. One
way to demonstrate authorized use of a security token is to include a
digital signature using the associated secret key (from a proof-of-
possession token). This allows a requestor to prove a required set of
claims by associating security tokens (e.g., PKIX, X.509 certificates)
with the messages. If the requestor does not have the necessary token(s)
to prove required claims to a service, it can contact appropriate
authorities (as indicated in the service's policy) and request the
needed tokens with the proper claims. These "authorities", which we
refer to as security token services, may in turn require their own set
of claims for authenticating and authorizing the request for security
tokens. Security token services form the basis of trust by issuing a
range of security tokens that can be used to broker trust relationships
between different trust domains. The WS-Trust specification also
defines a general mechanism for multi-message exchanges during token
acquisition. One example use of this is a challenge-response protocol
that is also defined in this specification. This is used by a Web
service for additional challenges to a requestor to ensure message
freshness and verification of authorized use of a security token.

http://docs.oasis-open.org/ws-sx/ws-trust/200512/ws-trust-1.3-spec-cs-01.htm
See also the announcement: http://lists.oasis-open.org/archives/tc-announce/200703/msg00021.html

----------------------------------------------------------------------

CA Extends Introscope to SOA Management
Antone Gonsalves, InformationWeek

Enterprise software maker CA has introduced software that extends its
Wily Introscope application management suite to service-oriented
architectures. The Wily SOA Manager can manage transaction performance
within an SOA by automatically identifying dependencies among services,
monitoring service-based business processes, and alerting IT staff to
problems. SOA Manager requires Wily Introscope and supports a number of
technology platforms, including Apache Axis, BEA Systems' WebLogic
server, IBM's WebSphere application server, SAP's NetWeaver, and the
Microsoft .Net Framework. "Features of the new product include: (1)
Out-of-the-box SOA and Web Services monitoring: Automatic discovery and
monitoring of services and service business units with pre-configured
dashboards; (2) Error Detection and Impact Analysis: Monitor the
performance and verify the content of cross-machine, heterogeneous
transactions and multi-step business processes; (3) Synthetic transaction
generation: Enables monitoring of business process performance and
availability and across complex applications via Service chains; (4)
Service Groups: Automatic discovery of service dependencies and data
collection from UDDI repositories. Ability to group services together
for centralized configuration of alerting and reporting policies; (5)
Customizable reporting: Allows reporting and analysis for Sarbanes-Oxley
and ITIL compliance -- as well as storage of all live performance data
for trend analysis, capacity planning and other essential management
tasks."

http://www.informationweek.com/news/showArticle.jhtml?articleID=198100011
See also the announcement: http://www3.ca.com/press/PressRelease.aspx?CID=101335

----------------------------------------------------------------------

Newsmaker: Gosling Looks Down Sun's Open Road
Sylvia Carr, CNET News.com

Openness breeds trust -- and more secure software. That's the message
from the man known as the "father of Java," James Gosling. He's still
at Sun Microsystems working on software development tools and aligning
the strategies for the language and platform he created more than a
decade ago. Silicon.com recently caught up with Gosling to discuss
Sun's decision to release Java under the GPL (General Public License),
whether open source is more secure than proprietary software, how IT
departments can cut development costs, and why Microsoft still owns
the desktop. Gosling: "[An open-source development model is inherently
better for security because it's the only way that you can come to
trust a piece of software. Security is a very different kind of thing
to test because in security you're not trying to test that the thing
you built works. You have to do that but you have to figure out --
are there any cracks? Are there any flaws at the design level? And
there aren't automated testing techniques (for that). There's nothing
that replaces somebody putting on a black hat and saying, "OK, I'm
gonna try to break you." And then they do. Ten years ago people were
breaking into Java now and then, but always in a spirit of co-operation.
We had a number of people find chinks in the armor which we fixed
almost immediately. There's not been a single incident of actual loss
due to a security issue. There is no Java antivirus software because
it's not necessary. We've had 12 years of intense scrutiny by experts
all over the world... when you build tests, the tests are inherently
limited by what you think they're going to do to break in. You can
build tests to make sure any of the break-in techniques you know of
are stopped. And you can sit around scratching your head thinking of
new ways to break into things. But you're not going to be anywhere
near as creative as thousands of grad students out there adding a
chapter to their Ph.D. thesis."

http://news.com.com/2008-7344_3-6168505.html

----------------------------------------------------------------------

Expressing Untested And Untestable Constraints in Schematron
Rick Jelliffe, O'Reilly Articles

Schematron is an ISO standard schema language for making assertion
about the presence or absense of patterns in XML documents. It has
fairly widespread use, from publishing to transport to financial and
insurance to health systems, but is not supported by major vendors yet.
Schematron is aimed at being a general purpose (rather than domain-
specific) rules language for expressing both the kinds of complex
structural rules that are beyond the reach of XML Schemas schemas and
for expressing simple business rules. Most people use my open source
XSLT implementations of Schematron 1.5, but versions exist from other
developers in Python, Perl, C#, and Java. One of the aims of Schematron
was to allow all the constraints in a system to be printed out in
bullet list form: literate programming comes to schemas. ISO Schematron
allows you to put requirements in free text paragraphs (customer's
view), then to put the natural language assertions that test these
in bullet point form (the analyst's view), then to arrange and mark
these assertions up with the appropirate IDs and XPaths (the devloper's
view). This can improve traceability from requirements to analysis
to implementation for validators. But one persistant problem has been
that there are often business requirements which are untestable. And
there is another kind of constraint that is not tested but will be
testable later: perhaps you haven't got the XPath skills to create
the test, or perhaps it is based on some future event, such as 'All
dates in this document must be during the US presidency of G.W.Bush.'
So are these kinds of constraints things that can never go into a
Schematron schema, or just remain as comment-like paragraphs? What
we can do is have dummy assertions, which never fail and provide a
place to park these kind of constraints...

http://www.oreillynet.com/xml/blog/2007/03/expressing_untested_and_untest.html
See also Schematron references: http://xml.coverpages.org/schematron.html

----------------------------------------------------------------------

Info Sharing Depends on the Filters
Wilson P. Dizard, Government Computer News

The U.S. government's broad-based project to create a technical and
policy structure for intelligence and law enforcement information
sharing relies heavily on upgrading the filters and gates used to
shift data up and down the ladder of classification categories.
Ambassador Ted McNamara, program manager for the Information Sharing
Environment, said during a recent interview at his Washington office
that 'cross-domain solutions are essential to the operation of the
ISE.' McNamara's office is pushing a range of information-sharing
projects forward, mainly by fostering collaboration among federal,
state, local and tribal agencies. For example, McNamara said he had
just met with some 700 officials at a conference focusing on the role
of intelligence fusion centers. Technical working groups are polishing
the service-oriented architecture of the ISE blueprint, a technical
road map that will rely largely on existing protocols such as those
developed for the Justice Department's Law Enforcement Information
Sharing Program. ISE officials said their program's contribution
consists largely of developing business processes and policies to
align business and process needs via the technical working groups:
"That business process gets mapped into data elements using the
National Information Exchange Model; the model is a central
Extensible Markup Language (XML) metadata registry spawned by
Justice's Global Justice XML Data Model project. The resulting ISE
network design will specify functions needed for effective information
sharing, including not only the cross-domain solutions but also
elements such as search, discovery, identity management and
collaboration tools.

http://www.gcn.com/print/26_06/43310-1.html
See also GJXDM: http://xml.coverpages.org/ojp-justiceStandards.html

----------------------------------------------------------------------

XML Daily Newslink and Cover Pages are sponsored by:

BEA Systems, Inc.         http://www.bea.com
IBM Corporation           http://www.ibm.com
Innodata Isogen           http://www.innodata-isogen.com
SAP AG                    http://www.sap.com
Sun Microsystems, Inc.    http://sun.com

----------------------------------------------------------------------

Newsletter subscribe: xml-dailynews-subscribe@lists.xml.org
Newsletter unsubscribe: xml-dailynews-unsubscribe@lists.xml.org
Newsletter help: xml-dailynews-help@lists.xml.org
Cover Pages: http://xml.coverpages.org/

----------------------------------------------------------------------