This chapter discussed how you can perform serious e-Business functions with Web services. After reading this chapter, you know that there are many emerging standards in this area, with which you can bring Web services to the real world. Of course, it's important to keep your eyes on standardization activities in W3C, OASIS , and the Java Community Processes known as Java Specification Requests (JSR). However, it is extremely hard to follow all the activities. One reasonable approach is to clarify first what you want in your business and systems in order to narrow down the activities and standards you must monitor.
You should now have a fairly solid picture of security standards. Although some technologies are under development, you can make your Web services secure to some extent with SSL, BASIC-AUTH, and digital signatures. Other technologies should be chosen after paying particular attention to how they have matured and how much you need them in your business.
Standards in Enterprise Application Integration (EAI) are in some sense mature because they are based on a long history of system integration evolution including transactions, reliable messaging, distributed objects, security, and so on. However, you must also know that important concepts like transactions and reliable messaging cannot be applied to B2B easily on the Internet. We are eagerly awaiting standardization efforts in this area.
Another issue addressed here was how to fit Web services technologies and standards into EAI environments. For example, BASIC-AUTH has been integrated into the J2EE architecture, so authorization on EJB objects can be performed based on it. However, how do we perform authorization on ordinary Java objects? Can we perform authorization if we authenticate a requestor with a digital signature? When adopting a Web services technology, you also have to consider how it can be integrated into your existing EAI environment.
We also reviewed examples of core Web services. XKMS is the best example here. Because it is difficult to access PKI, Web services for PKI must be appreciated. As we envisioned in Figure 5.21, other security functions would be provided as Web services, such as signature and encryption services. In the same manner, work is underway on publishing system management functions as Web services. Once such Web services are provided, customers can understand the system status of the service provider. This could be a good basis for QoS improvement in a decentralized manner.