XML and Web Services In The News - 29 November 2006

Provided by OASIS | Edited by Robin Cover

This issue of XML Daily Newslink is sponsored by IBM Corporation



HEADLINES:

 Oracle Announces Identity Governance Framework (IGF)
 Oracle Launches Identity Governance Project
 Shielding Web Services From Attack
 Entitlement Management Solution (EMS) Uses OASIS XACML Standard
 StAX'ing up XML, Part 1: An Introduction to Streaming API for XML (StAX)
 Corel to Support Microsoft Office, ODF Formats


Oracle Announces Identity Governance Framework (IGF)
Darryl K. Taft, eWEEK
In cooperation with CA, Layer 7 Technologies, Novell, Ping Identity, Securent, and Sun Microsystems, Oracle has announced the formation of an initiative to help organizations better govern and protect sensitive identity-related employee, customer and partner information as it flows across heterogeneous applications. The new Identity Governance Framework (IGF) is an open initiative to address governance of identity related information across enterprise IT systems. This initiative includes key initial draft specifications contributed by Oracle to the community. These specifications provide a common framework for defining usage policies, attribute requirements, and developer APIs pertaining to the use of identity related information. These enable businesses to ensure full documentation, control, and auditing regarding the use, storage, and propagation of identity-related data across systems and applications. Sensitive identity-related data such as addresses, social security numbers, bank account numbers and employment details are increasingly the target of legal, regulatory and enterprise policy. These include, but are not limited to: the European Data Protection Initiative, Sarbanes-Oxley, and Gramm-Leach-Bliley as examples. Two initial draft publications include markup language specfications for CARML and AAPML. Client Attribute Requirements Markup Language (CARML) is a specification that allows applications to define their attribute requirements as it relates to identity. CARML can be used to automate configuration of identity attribute services and to expose the set of identity-related data consumed by a specific application or groups of applications. Attribute Authority Policy Markup Language (AAPML) is a XACML profile designed to allow attribute authorities to specify conditions under which information under management may be used (and possibly modified) by other applications.
See also: the Identity Governance Framework

Oracle Launches Identity Governance Project
Paul F. Roberts
The Identity Governance Framework is an [Oracle-led] initiative to develop specifications for sharing identity data across heterogeneous applications. The project has the support of identity and access management (IAM) vendors Ping Identity, Sun Microsystems and Securent, as well as CA and Novell. The framework and will eventually be turned over to a standards-setting body, according to Amit Jasuja, vice president of product development for Oracle's security and identity management products. The Identity Governance Framework (IGF) grew out of Oracle's efforts to integrate identity and access management technology it acquired from Thor Technologies, OctetString and other companies. Problems such as lost data on laptops and identity theft point to the need for overarching standards that govern all the sensitive data squirreled away in data repositories across an enterprise, such as human resources, customer relationship management and custom-built internal applications. Oracle estimates that between 60 and 80 percent of sensitive data reside in these kinds of repositories, rather than in better protected enterprise databases. IGF addresses that problem by establishing a governance model that allows organizations to create "contracts" between applications and repositories of identity data. The model would cover how data flows within an enterprise and outside the enterprise to supply chain or business partners. Open source and standards groups, including Eclipse.org and OASIS, are also working on the problem of federating identity information, but OASIS' SPML (Service Provisioning Markup Language) and Eclipse's Higgins Trust Framework are more about creating consistent user identities that work between systems, rather than managing sensitive data, he said. "Nobody's asking whether I can propagate a social security number outside my country boundary and put it into system somewhere else," he said. Still, Oracle believes that IGF properly belongs under the umbrella of some standards setting organization, [Amit Jasuja] said. The company plans to reach a deal to hand off its API, as well as AAPML and CARML work to such a group within the next 90 days or so. While Jasuja wouldn't say which group Oracle was considering. However, he acknowledged that a top concern is the speed with which the group can shepherd the IGF specifications through to standards.

Shielding Web Services From Attack
Dan Goodin, InfoWorld
Web services are almost irresistible. Every popular IDE makes them easy to build — to unlock the data and business logic in legacy systems, to provision common functions that can be shared across multiple platforms, or to provide partner organizations direct access to information or applications. And by their nature, Web services helpfully describe themselves, allowing one system to find and interact with another with little or no human intervention. Yet the very virtues that make Web services compelling — their use of trusted ports and protocols, their ease in exposing back-end systems, their eagerness to describe exactly what services are offered and how to get at them, and their use of multiple intermediaries — also make them a potential windfall for criminals crossing an enterprise's perimeter. A high percentage of Web services interact with databases. SOAP and XML make it easy to disguise malicious payloads, opening new avenues for buffer-overflow attacks, SQL-injection exploits, and other misdeeds targeting an enterprise's most vital systems. Compounding matters, some of the machines exposed using Web services are legacy systems — old Windows NT boxes, for example — that are much more susceptible to attack than newer systems. Meanwhile, new classes of exploits targeting Web services have been developed. They include SOAP array overflows, a new variation on buffer-overflow intrusions in which an attacker sends an XML request with an array length that exceeds what has been specified. Like conventional buffer overflows and SQL injections, SOAP array attacks are among the most serious because they can expose confidential data or allow code execution on an organization's back end. Other common Web service exploits include XML parser attacks, in which an infinite string leads to a denial of service, and XML external entity attacks, in which a request points to an invalid file, resulting in an error that may cause the Web service to give out information it shouldn't disclose.

Entitlement Management Solution (EMS) Uses OASIS XACML Standard
Staff, Securent Announcement
Securent has announced the industry's "first standards-based product" to solve the pain of Entitlement Management by providing the ability to manage, enforce, review and audit policies for context-dependent access to resources across the IT stack (portals, applications, data, and networks). Securent's Entitlement Management Solution (EMS) has already achieved early industry acceptance by analysts and customers, and has been selected by multiple Fortune 500 companies including QUALCOMM and Credit Suisse. By delivering its technology as an XACML- compliant (Extensible Access Control Markup Language) solution, Securent is setting the standard in Entitlement Management and fast becoming the product of choice for securing mission-critical environments. Entitlement Management is a new, distinct category within the overall Identity and Access Management market, which to date has focused on addressing the need to determine "who" is making a request. However, this class of products has not yet addressed the second half of the security problem, namely, determining and enforcing "whether" the person or application is entitled to access the particular request. Since enterprises are commonly required to provide differentiated levels of access, developers and IT departments have had little choice but to address the need for context- dependent or fine-grained access control by custom coding security policies into each individual application, data source, and communication channel. Given the heightened security requirements of today's distributed enterprise, entitlements are becoming a fundamental component of most corporate security initiatives. For example, entitlements control access to sensitive information by ensuring that every employee should not be allowed to access every financial report and every employee record. Entitlements are also critical in regulated environments where organizations are required by law to ensure that requesters of a transaction should not be allowed to also approve the transaction, and that analysts should not be allowed to communicate with brokers.

StAX'ing up XML, Part 1: An Introduction to Streaming API for XML (StAX)
Peter Nehrer, IBM developerWorks
Since its inception, the Java API for XML Processing (JAXP) provided two methods for processing XML — the Document Object Model (DOM) method, which uses a standard object model to represent XML documents, and the Simple API for XML (SAX) method, which uses application-supplied event handlers to process XML. A streaming alternative to these approaches was proposed in JSR-173: Streaming API for XML (StAX). Its final release was published in March 2004 and it became part of JAXP 1.4, to be included in the upcoming Java 6 release. As its name reveals, StAX places emphasis on streaming. In fact, what distinguishes StAX from other approaches is the application's ability to process XML as a stream of events. The idea of handling XML as a set of events is not entirely new (in fact, it is already present in SAX); however, the difference is that StAX allows the application code to pull these events one after another, rather than having to provide a handler that receives events from the parser at the parser's convenience. StAX actually consists of two sets of XML processing API, each providing a different level of abstraction. The cursor-based API allows the application to work with XML as a stream of tokens (or events); the application can examine the parser's state and obtain information about the last parsed token, then advance to the next token, and so on. This is a rather low-level API; while considerably efficient, it does not provide an abstraction of the underlying XML structure. The higher-level iterator-based API allows the application to process XML as a series of event objects, each of which communicates a piece of the XML structure to the application. All the application needs to do is determine the type of the parsed event, cast it to the corresponding concrete type, and use its methods to get information pertaining to the event.
See also: XML Pull Parsing

Corel to Support Microsoft Office, ODF Formats
Martin LaMonica, CNET News.com
Corel, the maker of the WordPerfect word processor, said that it intends to support Microsoft's latest Office document formats and its rival, OpenDocument. The company intends to add both formats to its WordPerfect Office suite in the middle of next year. On Thursday, Microsoft is set to release to businesses Office 2007, an upgrade of its productivity suite which introduces an XML-based file format called Office Open XML. Because so many more documents will be created in that format, Corel has decided to make opening and editing those document types an option in the WordPerfect word processor as well as in the company's presentation application and Quattro Pro spreadsheet, said Richard Carriere, general manager of office productivity for Corel. In addition, Corel in the middle of next year will allow people to open and view word processor documents stored in the OpenDocument format, or ODF. The decision to support ODF is based on demand, notably from government customers, Carriere said. Corel has 11 million active users worldwide with the majority of them in North America, he said. Carriere said that Corel's decision to adopt ODF contrasts with that of other ODF backers. In ODF standards meetings, it is clear that Microsoft rivals are backing the format in an attempt to unseat Microsoft's desktop hegemony. Carriere said that Corel expects to ultimately support the ODF spreadsheet and presentation formats if there is customer demand.
See also: eWEEK


XML.org is an OASIS Information Channel sponsored by BEA Systems, Inc., IBM Corporation, Innodata Isogen, SAP AG and Sun Microsystems, Inc.

Use http://www.oasis-open.org/mlmanage to unsubscribe or change an email address. See http://xml.org/xml/news_market.shtml for the list archives.


Bottom Gear Image