PolicyEnabling the SCAbased SOA - PowerPoint PPT Presentation

About This Presentation
Title:

PolicyEnabling the SCAbased SOA

Description:

... WebSphere, Tuscany), the first two are only available as beta right now. ... behind the bleeding edge, or a version that is already supported by the betas ... – PowerPoint PPT presentation

Number of Views:32
Avg rating:3.0/5.0
Slides: 25
Provided by: eventsOa
Category:

less

Transcript and Presenter's Notes

Title: PolicyEnabling the SCAbased SOA


1
Policy-Enabling the SCA-based SOA
www.oasis-open.org
2
Questions to answer
www.oasis-open.org
  • Why should SCA-based SOAs be policy-controlled
    with SCA Policy?
  • How does it make my SOA more secure?
  • How does it make my SOA more agile for changing
    business needs?
  • What are the basics about SCA Policy?
  • How is policy represented?
  • What SCA constructs can be policy-controlled?
  • How is a particular policy attached to a
    particular SCA construct?
  • What are the basic policy intents pre-defined
    within SCA Policy?
  • How does policy-control affect component wiring
    or references to services?
  • How do I start using SCA Policy?
  • What are the decisions I need to make?
  • What is an outline of the suggested steps?
  • What policy language do I use?
  • What SCA implementation do I use?
  • What are some ideas for future research?

3
Why use SCA Policy in my SOA?
  • You are using SCA (if you're not...)?
  • Today's SOAs need to be...
  • Deployable in different environments
  • Ensure security
  • Adaptable to changing business needs
  • SCA Policy is the SCA piece that addresses those
    concerns

4
How does it enable better security?
  • Intents capture abstract policy requirements
  • Intents independent of policy language and
    implementation
  • The framework enables choosing a concrete policy
    set that satifies those intents
  • Policy enables faster reconfiguration to meet new
    threats

5
How does it increase SOA agility?
  • Interactions only enabled if under policy
  • Means we can control our interactions with our
    intent rather than a program
  • Example
  • Requiring intent 'confidentiality.message.body'
    means the only SCA bindings used will be ones
    that can encrypt the body of the messages
  • Can reconfigure for completely new environments,
    just by changing policy and re-assembling

6
Covering the basic questions
  • What are the basics about SCA Policy?
  • How is policy represented?
  • What SCA constructs can be policy-controlled?
  • How is a particular policy attached to a
    particular SCA construct?
  • What are the basic policy intents pre-defined
    within SCA Policy?
  • How does policy-control affect component wiring
    or references to services?
  • What are the decisions you need to make?

7
How is policy represented?
  • As XML, in definitions.xml
  • Policy types interaction vs implementation
  • Abstract vs concrete Intents Policy Sets
  • Policy language
  • In theory you choose
  • In sanity use WS-Policy (more on this later)?

8
Intent Example
ltintent name"scamessageProtection"
constrains"scabinding"
requires"scaconfidentiality scaintegrity"gt ltde
scriptiongt Protect messages from
unauthorized reading or
modification. lt/descriptiongt lt/intentgt
- From the SCA Policy Overview webinar
9
Policy set example (using WS-Policy)?
ltpolicySet name"scauserNameTokenHashPassword"
provides"scaauthentication"
appliesTo"scabinding.ws"gt ltwspPolicygt
ltspSupportingTokengt ltwspPolicygt
ltspUserNameTokengt ltwspPolicygt
ltspHashPasswordgt lt/wspPolicygt
lt/spUserNameTokengt lt/wspPolicygt
lt/spSupportingTokengt lt/wspPolicygt lt/policySetgt
- From the SCA Policy Overview webinar
10
A 2nd policy example (not WS-Policy)?
ltpolicySet provides"snslogging.trace"
appliesTo"scaimplementation.bpel"gt
ltacmeprocessLogging level"3"/gt lt/policySetgt
11
What constructs can be controlled?
  • Both intents and policy sets can be applied to
    any SCA construct used in the definition of
    components and composites
  • Both can be applied at development
  • If only intents specified then the matching
    policy sets will be determined at deployment
  • If policy sets and intents then the applicable
    policy can be overridden by policy matched by
    intents at deployment

12
How is policy attached to a construct?
  • _at_requires
  • A requires attribute specifies a space separated
    list of intents
  • Complex intents can be specified using an Xpath
    expression
  • _at_policySets
  • The policy set applicable is specified by a
    policySet attribute, also a space separated list

13
What are the pre-defined intents?
  • SCA Policy pre-defines three types of policy
    intents security, reliability, and misc.
  • There are three security intents
  • Authentication
  • Confidentiality
  • Integrity
  • The reliability intents are
  • AtLeastOnce
  • AtMostOnce
  • ExactlyOnce
  • Ordered
  • The misc. intents
  • SOAP
  • JMS
  • NoListener
  • BP.1_1.

14
The security intents
  • Authentication
  • Ensures stated sender is actual sender
  • Confidentiality
  • Ensures only receiver can read msg
  • Integrity
  • Ensures msg is as sent, no tampering
  • Two qualifiers can be applied to any of these
    transport and message

15
Reliability Intents
  • AtMostOnce
  • Multiple copies of message not allowe
  • Delivery not guaranteed
  • AtLeastOnce
  • Multiple copies allowed
  • Delivery guaranteed
  • ExactlyOnce
  • Profile intent that combines the above
  • Ordered
  • Each sender's messages are delivered in order sent

16
Misc. intents
  • SOAP
  • SOAP msg APIs used
  • Not necessarily ws binding, could be SOAP over
    JMS for example, but ws binding likely
  • JMS
  • JMS msg APIs used, JMS binding likely
  • NoListener
  • Client can't accept new connections
  • Only on references
  • Ex a WS-Policy assertion that applies to the
    ltbinding.wsgt binding, which requires the use of
    WS-Addressing with anonymous responses (e.g.
    ltwsawAnonymousgtrequiredlt/wsawAnonymousgt
  • BP.1_1
  • WS-BasicProfile is followed, ws binding likely

17
How do I start using SCA Policy?
  • What are the decisions I need to make?
  • What is an outline of the suggested steps?
  • What policy language do I choose?
  • What SCA implementation do I choose?

18
How do I use RBAC with SCA Policy
  • RBAC Role Based Access Control
  • Common method for authorization
  • So common that special support was added for it
    with custom policy assertions
  • ltallow roleslist of NCNames /gt
  • ltpermitAllgt
  • ltdenyAllgt
  • ltrunAs rolexcNCName
  • Example
  • ltpolicySet nameallow_customersgt
  • ltallow rolescustomers /gt
  • lt/policySetgt

19
What decisions do I need to make?
  • Will you specify policy sets at development, or
    let them be determined at deployment?
  • Will you use WS-Policy as your policy language?
  • If no, then what will you use?
  • If yes, do you need to extend it with custom
    assertions?
  • What different policies will you need?
  • Will you be able to get by with just the
    predefined intents, or will you need to add
    custom intents
  • What are the governance processes for creating,
    modifying policies and policy sets?

20
Suggested guidelines/profile
  • Only specify intents at development time
  • Keep your intents as abstract as possible
    (ideal)?
  • Sometimes concrete intents (jms or xmpp.0080) are
    needed, but make sure they really are
  • Use WS-Policy as your policy language, but...
  • WS-Policy by itself is almost never enough, so
    decide which WS-Policy extensions you need to use
  • If absolutely needed, roll you own assertion
    types
  • Use policy inclusion to write small re-usable
    policy sets that are written by policy
    administrator with guidelines for assembler
  • Use the broadest brush..if all the operations
    require confidentiality then put the
    confidentiality intent on the component

21
What is an outline of suggested steps?
  • List collaborations
  • For each collaboration write the QoS
    characteristics required in abstract terms
  • Refactor characteristics to eliminate redundancy
  • List the binding types and implementations you
    will support
  • Determine concrete requirements from the abstract
    characteristics for each binding type and
    implementation (revise characteristics if needed
    during this)?
  • Captures abstract characteristics with existing
    intents if possible, create new ones if needed
  • Determine what existing WS-Policy extensions are
    needed to express the concrete QoS requirements,
    if any
  • If needed create a new WS-Policy extension (but
    first double check above to make sure you can't
    rework it so you don't need to roll your own)?
  • Make sure your runtime supports your required
    extensions (rework as needed)?
  • Turn areas of overlap among concrete QoS
    requirements into policy sets
  • Use inclusion to create final policy sets, then
    tie them to intents
  • Add intents to the components responsible for the
    matching collaboration

22
What policy language do I use?
  • Many policy languages to choose from
  • SCA Policy built to support WS-Policy and others
    if desired
  • Means best support is for WS-Policy
  • Recommendation is to use WS-Policy with custom
    extensions if needed (they likely will be)?

23
What SCA Implementation do I use?
  • Not many choices
  • Of the 4 big ones (Oracle 11g, BEA AquaLogic,
    WebSphere, Tuscany), the first two are only
    available as beta right now. Supported versions
    of SCA policy are not known.
  • Aqualogic has stated support for SCA with a
    policy aware SCA runtime for Weblogic server, and
    with AL Enterprise Repository, which will store
    SCA component assemblies and configuration
  • Oracle 11g TP4 rumored to be imminent. SCA
    support in TP3 had pluses and minuses, including
    no Java SCA implementation components. Policy
    support is unknown.
  • Websphere 6.1 SOA feature pack states support for
    SCA Policy 1.0
  • Apache Tuscany is Open Source with all he
    benefits and issues that entails, though it's
    under commercial-friendly Apache license
  • Recommendation is, as always...
  • code to the standard and try to stick to a
    version that's a little behind the bleeding edge,
    or a version that is already supported by the
    betas
  • Test and provide SDKs using Open Source, with
    periodic integration tests with primary
    commercial choice and an alternative commercial
    choice.
  • Demo and deploy with commercial products or Open
    Source, whichever one makes sense for your needs.

24
What are some ideas for the future?
  • A more robust set of policy intent domain
    extensions (but watch out for too tight coupling
    to concrete ideas) that fully specify intents for
    some domain
  • Creating a mash-up of semantic reasoning and SCA
    with a runtime that translates to and provides
    for an alternate SCA description syntax that is
    compatible with semantic reasoning, such as XDI,
    RDF, or something else
  • Policies change, a nice feature would be an
    optional use of a set of SCA components that
    provide policy store functionality for a SCA
    domain. This is necessary in environments where
    policy modifications occur frequently and are
    shared across many domains
  • Other technologies that might make an interesting
    mash-up when combined with SCA
  • Web Ontology Language (OWL)?
  • XACML
  • WS-PolicyConstraints
  • SAML
  • ITU Policy standards (X.812/X.749)?
Write a Comment
User Comments (0)
About PowerShow.com