Does ease of use mean anything to web services security?

By Kenneth Graf (Intel) (6 posts) on May 16, 2008 at 10:08 am

My XML journeys took me to JavaOne last week.  I am a people watcher, and I have always found it fastening to observe the herd mentality at larger conferences like JavaOne.  The queues for the keynotes, the rush to lunch, and don’t get me started on people eagerly standing in line for some logo laden t-shirt.

The herd had thinned by the last session, but those that stayed to the bitter end were treated to an interesting presentation by Ben Alex of Spring Source http://www.springframework.org/  (TS-6348).  What I found interesting was the response to his poll of the audience when he started his talk.  Ben asked what the audience was using for security: 1) The JDK default jars.  2) 3rd party security offerings  3) Roll your own.  A lot of hands went up for all 3 approaches and Ben declared it an even split.

What I found interesting is how many are still rolling their own security!  Have Bruce Scheider’s muses about broken implementations gone unheard?   I understand that some of the Java security pieces JSR105, JAAS, WSS4J can be hard to implement correctly, but Ben and others during JavaOne showed how their 3rd party offerings put web service security just a mouse click away.  What makes security special to trump ease of use?

My guess is we have a hard delegating application security; we want the control.  How does some generic framework know that it is ok for my wife to change my airline reservation?   We know the everyday work-around is giving her my password.  Will the market continue to roll its own web service security?  And if so; why?  I would be interested in what you think.

Categories: XML Software

Comments (0) Comments RSS Feed

No comments have been posted for this entry yet.


What do you think?

Name (required)

Email (required; will not be displayed on this page)

Your URL (optional)

Comments (required)