Sunday, March 27, 2005

The development that I've been doing recently has revolved around the creation of two custom XML security tokens for use within our internal web-services framework. One of the major design goals that I've had was to reduce the complexity of retrieving, sending and validating the tokens within the service consumer and provider environments. We've had fantastic success getting the consumer-side implementation down to only a couple of lines of code. More could be done to reduce the amount of required development effort for a service consumer, but allowing developers to maintain a level of control over the storage and scope of the tokens is important as well.

The server-side, however, needed a method of enforcing some basic validation through simple configuration at the time of installation. I had started down the path of using custom application configuration settings in the service's web.config file to provide this configuration requirement, but I soon realized that it was not having the desired effect. The validation code was either explicitly called from the service's code-base, or it was only running when the custom token type was included in the message. This meant that either the developers building the service had to take time to focus on the token handling, or that the token would only be validated if it was provided. Neither of these situations meet our requirements.

The solution came to me as I spent some additional time thinking about the problem... Policy should always be configured within the policy document. The last thing that I needed was to find out how to extend the policy support of WSE2 to include my token types. I got that answer from this MSDN article. The more I work with the WSE2 framework, the more I love it. The development team for the WSE libraries has provided us with a great start for implementing the WS-* specifications within our environments today, but they have also left the door wide open for extending their work to support more complex senarios. It's wonderful.

Now if only the Java development community would catch up with Microsoft's support for these specifications, my life would be much easier. We've got to port all of the token logic into the AXIS world to support service consumers and providers on Unix systems as well.