XML

The Spirit of Schematron in Test Driven Development (TDD)

2008-04-16T06:27:00.001-07:00

Test Driven Development is a relatively popular methodology nowadays
and I think XML tools can play crucial aspect in better testing. Testing
frameworks are more than capable of using and testing XML based
applications, but just in case you have ever had trouble, here are a
few tips. XSLT makes for an excellent transformation tool for massaging
XML data. This means it also can be a helpful tool to reduce large XML
data sets to something manageable, whether it is XML or not. For example
[see the] simple XSLT stylesheet that will return content on errors
checking an Atom Feed, which is is exceptionally simple, but hopefully
it makes the point. In the example, you'll also notice that the output
was not contained in a XML Element. Sometimes it is easier to just parse
a simple text file line by line, so this might be that situation. Likewise,
having a designated set of test elements could be helpful -- think reports
transformed to HTML). That said, the goal is not to create some enormous
test framework in XML and XSLT. The real goal is to use a great tool for
transforming XML to something you can use easily. I wouldn't necessarily
suggest trying to validate the content of an element or do complex string
parsing. XSLT 1.0 isn't really the easiest language for string parsing
or complex math with out a little help. You can always add your own
extension functions to help out, but hopefully keeping things simple by
massaging the data gets you 80% of the way. The idea here is make things
palatable to your own tastes... I like XML, but I hate XML Schema and
DTDs. RELAX NG is slightly better option, but when you just want to make
sure some value is present, the above methods can be a simpler solution.
The essence of the above suggestions come from Schematron, an excellent
validation tool that is as simple as knowing XPath. Schematron in fact
has been implemented using XSLT, so adding it to your existing test
framework should be relatively simple. There are times when XML seems
to present a subtle problem within the world of object oriented languages.
It's not a hard problem on a technical level. Working with XML is
relatively simple with many examples and resources. Things get hard when
you don't have good tools to help you along the way. The XML landscape
to your programming language of choice when XML has more than enough
tools to seamlessly integrate testing your XML along side your models,
views, controllers and integrations.

Don't Be Surprised By E-Discovery

2008-04-16T06:26:00.000-07:00

E-discovery requires government agencies to know what electronic
documents they have and be able to find them quickly if someone requests
them for a court case. That's no small task considering the enormous
volume of electronic documents created by the typical organization.
Email messages and attachments represent a good chunk of the problem,
but word-processing documents, PDFs and other digital information also
contribute to the management challenge. The amended Federal Rules of
Civil Procedure, which has heightened awareness of e-discovery, cover
a wide range of data types under the umbrella of electronically stored
information... E-discovery experts recommend establishing a taxonomy
and creating metadata tags for electronic information. The taxonomy
provides a general way to classify information, and metadata provides
detail on information to make searches more fruitful. The Electronic
Discovery Reference Model project devised an Extensible Markup Language
(XML) schema to consistently describe electronic information. [Penny]
Quirk said EDRM created the XML e-discovery standard to ensure that
consistent and common nomenclature is used for business records during
the e-discovery process; the project is scheduled for completion in this
year's second quarter... Electronic documents culled in e-discovery and
used in litigation demand special treatment: documents compiled in
significant cases at the Justice Department are kept as permanent records
of the government. Records in garden-variety cases in federal court are
considered temporary, but they might still be housed for a number of
years at one of the National Archive's Federal Records Centers. The
National Archives tapped Lockheed Martin in 2005 to build an Electronic
Records Archives system that will help the agency ingest electronic
records flagged for permanent storage; the aim now is to accept
government reco ds in any format, encapsulating each electronic document
in an XML metadata wrapper.

Proposal for IETF NETCONF Data Modeling Language Working Group

2008-04-16T06:25:00.002-07:00

The IESG Secretary announced that a new IETF working group has been
proposed in the Operations and Management Area, described in a draft
NETMOD Charter. The NETCONF Working Group has completed a base protocol
to be used for configuration management. However, the NETCONF protocol
does not include a standard content layer. The specifications do not
include a modeling language or accompanying rules that can be used to
model the management information that is to be configured using NETCONF.
This has resulted in inconsistent syntax and interoperability problems.
The purpose of NETMOD is to support the ongoing development of IETF
and vendor-defined data models for NETCONF. The WG will define a
"human-friendly" modeling language defining the semantics of operational
data, configuration data, notifications, and operations. This language
will focus on readability and ease of use. This language must be able
to serve as the normative description of NETCONF data models. The WG
will use YANG as its starting point for this language. Language
abstractions that facilitate model extensibility and reuse have been
identified as a work area and will be considered as a work item or
may be integrated into the YANG document based on WG consensus. The
WG will define a canonical mapping of this language to NETCONF XML
instance documents, the on-the-wire format of YANG-defined XML content.
Only data models defined in YANG will have to adhere to this on-the-wire
format. In order to leverage existing XML tools for validating NETCONF
data in various contexts and also facilitate exchange of data models
SDL data modeling framework (ISO/IEC 19757) with additional annotations
to preserve semantics. The initial YANG mapping rules specifications
are expressly defined for NETCONF modeling. However, there may be
future areas of applicability beyond NETCONF, and the WG must provide
suitable language extensibility mechanisms to allow for such future
work. The NETMOD WG will only address modeling NETCONF devices and the
language extensibility mechanisms... Initial deliverables: (1) An
architecture document explaining the relationship between YANG and
its inputs and outputs; (2) The YANG data modeling language and
semantics; (3) Mapping rules of YANG to XML instance data in NETCONF;
(4) YIN, a semantically equivalent fully reversible mapping to an
XML-based syntax for YANG. YIN is simply the data model in an XML
syntax that can be manipulated using existing XML tools (e.g., XSLT);
(5) Mapping rules of YANG to DSDL data modeling framework (ISO/IEC 19757),
including annotations for DSDL to preserve top-level semantics during
translation; (6) A standard type library for use by YANG. The IESG
has not made any determination as yet; please send your comments to
the IESG mailing list by April 22, 2008.

W3C Invites Public Comment on Content Transformation Guidelines 1.0

2008-04-16T06:25:00.001-07:00

W3C announced that the Mobile Web Best Practices Working Group has
published the First Public Working Draft for "Content Transformation
Guidelines 1.0." This document provides guidance to managers of content
transformation proxies and to content providers for how to coordinate
when delivering Web content. Content transformation techniques diverge
widely on the web, with many non-standard HTTP implications, and no
well-understood means either of identifying the presence of such
transforming proxies, nor of controlling their actions. From the point
of view of this document, Content Transformation is the manipulation in
various ways, by proxies, of requests made to and content delivered by
an origin server with a view to making it more suitable for mobile
presentation. The W3C MWI BPWG neither approves nor disapproves of
Content Transformation, but recognizes that is being deployed widely
across mobile data access networks. The deployments are widely divergent
to each other, with many non-standard HTTP implications, and no
well-understood means either of identifying the presence of such
transforming proxies, nor of controlling their actions. This document
establishes a framework to allow that to happen.

Use HATS to Generate Atom Feeds for Mainframe Applications

2008-04-16T06:24:00.001-07:00

Nowadays, content distributors deliver all content, including news and
site updates, as feeds. Most enterprise applications use feeds for
various purposes, including to monitor an application and check the
status of a project. Content providers publish a feed link on their site
that users register with a feed reader. The feed reader checks for
updates to the registered feeds at regular intervals. When it detects
an update in the content, the feed reader requests the updated content
from the content provider. The feeds contain only a summary of the content,
but they provide a link to the detailed content. Atom Syndication Format
and RSS are the most common specifications of feeds. We're using Atom
feeds in this article, but you can change easily to RSS feeds with a
little modification. This article leverages a product called IBM
WebSphere Host Access Transformation Services (HATS), which converts
any given green-screen, character-based 3270 or 5250 host application
into a Web application (HTML) or rich-client application. HATS also allows
programmatic interfaces to convert the identified content in these host
applications into any other format. We take a step-by-step approach to
show you how to write a HATS program that converts the host application
content into Atom feeds... Delivering data as Atom feeds in mainframes
opens a new world of possibilities for enterprise applications.
Organizations can use mashup editors to extract data from companies with
external or internal feeds and create new applications or information.
For example, call centers can take advantage of mashups by passing a
calling customer's ZIP code information to Google Maps to identify the
location of the customer. This can help the call center employees
personalize the conversation by enquiring about the weather from the
customer's location, and so on. The delivery of data as Atom feeds in
mainframe servers is one of the fundamental building blocks that enables
an organization to embrace Web 2.0.

Apache Abdera: Atom, AtomPub, and Java

2008-04-16T06:23:00.000-07:00

The Apache Abdera project, an open source Atom Syndication and Atom
Publication Protocol implementation currently still in its incubation
phase, has recently reached its 0.40 milestone, an important step towards
graduation [as an Apache project]. Snell: "While Atom and AtomPub
certainly began life as a way of syndicating and publishing Weblog
content, it has proven useful for a much broader range of applications.
I've seen Atom being used for contacts, calendaring, file management,
discussion forums, profiles, bookmarks, wikis, photo sharing, podcasting,
distribution of Common Alerting Protocol alerts, and many other cases.
Atom is relevant to any application that involves publishing and managing
collections of content of any type... Abdera is an open source
implementation of the Atom Syndication Format and Atom Publishing Protocol.
It began life as a project within IBM's WebAhead group and was donated to
the Apache Incubator in June 2006. Since then, it has evolved into the
most comprehensive open-source, Java-based implementation of the Atom
standards.. Abdera has been part of the Apache Incubator for long enough.
While there are still some details to work out, I would very much like
to see Abdera graduate to its own Top Level Project at Apache, and become
host to a broad range of Atom-based applications." Diephouse: "Look to
some of the public services out there: most of the APIs for Google are
based on AtomPub. Microsoft is moving toward it for web APIs too. These
services are all going beyond just blogs. AtomPub goes beyond public web
APIs as well -- I've noticed that many enterprises are starting to use
AtomPub for some of their internal services as well. Both AtomPub and
SOAP/WSDL give you a way to build a service for others to use. But AtomPub
takes a fundamentally different approach to helping users implement
services. It implements constraints which give new types of freedom.
Because the data format is constrained -- every entry has a title, entry,
id, and content/summary -- I can use an Atom feed from any type of
application and get some useful information out of it... Abdera includes
support for developing/consuming AtomPub services, an IRI library, a URI
template library, unicode normalization, extensions for things like XML
signature/encryption, GData, GeoRSS, OAuth, JSON and more. One of the
cool new things in the latest release are a set of 'adapters' which allow
you to have an AtomPub service without any coding by storing entries in
JDBC, JCR or the filesystem...

Who Trumps bin Laden as a Cyberthreat? Look in the Mirror.

2008-04-13T23:42:00.000-07:00

From the San Francisco RSA 2008 Conference: "It turns out al-Qaida's
leader and his cohorts aren't the biggest threat to our cybersecurity.
You are... Security gurus have long urged the business world to turn
network security into part of the corporate DNA. The message is not
fully getting through. And now we're seeing the predictable results.
In years past, [Symantec CEO John] Thompson and other computer security
executives have pushed the idea of making cyber-security as familiar
to most people as the fire prevention campaign underwritten by the
government in the 1960s and 1970s. Considering the amount of money
Uncle Sam is spending on cyber-security these days, that's a pipedream.
Department of Homeland Security Secretary Michael Chertoff, who also
presented a keynote on Tuesday, offered litte indication Washington
was about to ride to the rescue. In remarks during his prepared speech
and subsequent press conference, Chertoff offered a dutiful recitation
of what he described as the President's interest in shoring up the
nation's digital security. Give Chertoff credit for being candid about
where DHS has come up short. He said the government needs to reduce
its (literally) thousands of network access points to around 50. At
the same time, Chertoff wants his department to faster detect and
analyze computer anomalies. A big part of that will involve a revamp
of U.S. CERT's early warning system... In the end, however, money
talks and you-know-what walks. The feds only have a $115 million budget
to work with. Chertoff's department has requested $192 million for
the new fiscal year but that's still doing it on the cheap. By
comparison, we spend $720 million in Iraq each day [actually their own money, joke of the day,].

More Information

SOA Software's SOLA Celebrates 5 Years

2008-04-13T23:41:00.002-07:00

SOA Software, a leading mainframe web services vendor, today announced
that SOLA, its flagship mainframe SOA product, has reached the five
year mark in running reliably extremely high volume production
environments. During this period SOLA has not been responsible for a
single production outage, despite handling tens of millions of
transactions every day. SOLA runs the world's largest mainframe SOA
implementations. A number of SOLA customers use it to run many millions
of mainframe web services transactions per day, and many customers'
plans anticipate volume in the 20-30 million transactions per day range.
Because SOLA offers a complete SOA solution there is no requirement to
integrate multiple products when building an enterprise-class SOA
incorporating the mainframe. SOLA includes a drag-and-drop graphical
development studio, an integrated UDDI registry, WS-Security, WS-Policy,
monitoring, logging, a management console and dashboard, SLA management,
BPEL, SAML, X509 Certificates, LDAP and Active Directory. SOLA eliminates
the complexity and expense of combining multiple products, such as CICS
TS 3.x, WebSphere and RAD... SOLA is the only mainframe SOA product to
offer closed-loop Governance automation. A service is automatically
governed from the point of creation because it inherits a security policy.
Policy, by means of WS-PolicyAttachment, is associated with the service
though all phases of the Software Development Lifecycle. It is not
possible to create or run an ungoverned service. Other features of SOLA
include integration with enterprise change management, Global Dictionary,
Logging, Auditing, Outbound SOAP requests, Batch support, Integration
with external UDDI, version control, support for the Software Development
Lifecycle, WSDL first and integration with SOA Management tools, making
SOLA the only secure, standards-based, and Governable product in the
space. SOLA also offers XACML for authentication and a comprehensive
identity mapping system that allows for the mapping of any credential
(LDAP, etc) to a mainframe RACF ID.

OOXML Triggers Demonstration in Norway

2008-04-13T23:41:00.001-07:00

"People were demonstrating today in Oslo in front of the ISO SC34
meeting against the adoption of Microsoft OOXML as an ISO standard, and
especially against the behaviour of Standards Norway, who voted Yes to
the specification, despite a lack of support by a majority of the
technical committee. Geir Isene is reporting about the demonstration...
We are not here today in order to bash Microsoft. We are here because we
believe in open standards. We are not even here today because we are
opposed to OOXML. We are here because we are opposed to OOXML as an ISO
standard. We are not here because we want to discredit the ISO. We are
here because we want to defend ISO's integrity. We are here because we
want to draw attention to the scandalous behaviour of the people in
Standard Norway whose job it is to represent Norwegian users and software
vendors. And we are here because we want to prevent the adoption of a
damaging IT standard in Norway... It's never over until the fat lady
sings, and this fat lady only just got started...

Public Review Draft for WebCGM Version 2.1

2008-04-13T23:40:00.001-07:00

Members of the OASIS CGM Open WebCGM Technical Committee have released
"WebCGM Version 2.1" as a Committee Draft for public review. The comment
period ends June 01, 2008. Computer Graphics Metafile (CGM) is an ISO
standard, defined by ISO/IEC 8632:1999, for the interchange of 2D vector
and mixed vector/raster graphics. WebCGM is a profile of CGM, which adds
Web linking and is optimized for Web applications in technical
illustration, electronic documentation, geophysical data visualization,
and similar fields. First published (1.0) in 1999, WebCGM unifies
potentially diverse approaches to CGM utilization in Web document
applications. It therefore represents a significant interoperability
agreement amongst major users and implementers of the ISO CGM standard.
The present version, WebCGM 2.1, refines and completes the features of
the major WebCGM 2.0 release. WebCGM 2.0 added a DOM (API) specification
for programmatic access to WebCGM objects, a specification of an XML
Companion File (XCF) architecture, and extended the graphical and
intelligent content of WebCGM 1.0. The content of the WebCGM 2.1 profile
comprises less than a dozen items that were arguably within the scope
of WebCGM 2.0, but which arose too late in the standardization of the
latter. On 30-January-2007, OASIS and W3C simultaneously published
WebCGM 2.0 as both an OASIS Standard and a W3C Recommendation, which
are identical in all technical aspects, and differ only in the format
and presentation styles of the respective organizations.

Google's OpenID Provider Via Google Web Engine

2008-04-13T23:39:00.001-07:00

"Shortly after Google released Google Web Engine last night, Ryan
Barrett of Google released an application for the platform that
essentially makes Google an OpenID Provider. Check it out here [...]
You can use your Google Account to log into any site that supports
OpenID! Ryan wrote: "If you've talked to me about work during the last
couple years, I've probably downplayed it, resorted to generalities,
or just changed the subject. No longer! We've finally taken the wraps
off our project, Google App Engine. From the docs: 'Google App Engine
lets you run your web applications on Google's infrastructure. App
Engine applications are easy to build, easy to maintain, and easy to
scale as your traffic and data storage needs grow. With App Engine,
there are no servers to maintain: You just upload your application,
and it's ready to serve your users.' Personally, I spent most of my
time writing the datastore, both the backend and much of the Python API.
When I found extra time, though, I had a lot of fun writing apps and
libraries on top of App Engine. I particularly enjoyed writing an
interactive shell, an OpenID provider, and a full text search library.
From the OpenID Wiki: OpenID allows anyone who can run a web server to
run an identity server. Your identity server is separate from your
identity, so you are free to use any identity server that has some
ability to validate your identity and you can change between them at
will. An identity server is sometimes referred to as an identity provider.
If you wish, you can use the services listed below with your own website
as your identifier using delegation.

OGC Adopts ebRIM Application Profile for Catalogues

2008-04-13T23:38:00.000-07:00

The Open Geospatial Consortium announced that its membership has
approved the OASIS ebRIM (Electronic Business Registry Information
Model) application profile of the OpenGIS Catalogue Service 2.1.2
standard. The Catalogue Standard specifies a design pattern that
allows for the definition of interfaces called application profiles
based on different standards, such as ZF39.50, ebRIM, UDDI, or ISO
metadata, that support the ability to publish and search collections
of descriptive information (metadata) about geospatial data, services
and related information objects. The ebRIM application profile was
developed and adopted because it enables catalogs to handle services
as well a variety of other geospatial resource types such as symbol
libraries, coordinate reference systems, application profiles, and
application schemas and geospatial metadata. The OGC is an international
industry consortium of more than 345 companies, government agencies,
research organizations, and universities participating in a consensus
process to develop publicly available interface specifications.
OpenGIS Specifications support interoperable solutions that geo-enable
the Web, wireless and location-based services, and mainstream IT. The
specifications empower technology developers to make complex spatial
information and services accessible and useful with all kinds of
applications.

Building an Entitlements Management Solution

2008-04-13T23:37:00.002-07:00

What does it take to build an Entitlements Management solution? That
depends on who you ask of course. However, when I look at commercial
products in this area I see certain common architectural patterns.
Many of the products that I've seen make use of a set of common elements
defined by the OASIS XACML standard (Extensible Access Control Markup
Language). The [referenced] picture shows the typical components of an
Entitlements Management solution. The XACML spec defines the role of
the Policy Administration Point (PAP), the Policy Decision Point (PDP),
the Policy Enforcement Point (PEP), and the Policy Information Points
(PIP). The Policy Administration Point (PAP) manages the creation and
storage of policy data in the Policy Store. The administrator interacts
with the PAP (typically) through a browser based management console
where roles, policies, resources, actions and so forth are defined and
managed. The policy store may be an LDAP directory or a database. The
PAP may also provide facilities for policy import and export. Most
products provide some management APIs that allow customers to embed
administrative functionality into their own applications. Runtime role
or authorization decisions are determine at the Policy Decision Points.
Typically I've seen two ways that PDPs are deployed: (1) As a
centralized entitlements server that can be invoked by remote clients
via RMI, Web Service calls or using the XACML 2.0 request/response
protocol. (2) As an embedded PDP deployed in same process space as
the application. The most common examples are PDPs embedded in a JVM
for plain Java applications or embedded in an application server for
J2EE applications... The PDPs can be configured to get data from one
or more Policy Information Points (PIPs). These PIPs can be user or
application directories or databases that contain information that
is required to make an access decision. Such information includes
user, group, and resource attributes (e.g. user profile information,
account balances and limits, etc.). These attributes can then be
used in the policies which control access...

Mathematical Markup Language (MathML) Version 3.0 Draft Published

2008-04-13T23:37:00.001-07:00

W3C's Math Working Group has published a Working Draft of "Mathematical
Markup Language (MathML) Version 3.0." This is the third draft of
MathML, an XML application for describing mathematical notation and
capturing both its structure and content. The specification defines the
Mathematical Markup Language, or MathML, as an XML application for
describing mathematical notation and capturing both its structure and
content. The goal of MathML is to enable mathematics to be served,
received, and processed on the World Wide Web, just as HTML has enabled
this functionality for text. This specification of the markup language
MathML is intended primarily for a readership consisting of those who
will be developing or implementing renderers or editors using it, or
software that will communicate using MathML as a protocol for input or
output. It is not a User's Guide but rather a reference document. MathML
can be used to encode both mathematical notation and mathematical
content. About thirty-five of the MathML tags describe abstract
notational structures, while another about one hundred and seventy
provide a way of unambiguously specifying the intended meaning of an
expression. Additional chapters discuss how the MathML content and
presentation elements interact, and how MathML renderers might be
implemented and should interact with browsers. Finally, this document
addresses the issue of special characters used for mathematics, their
handling in MathML, their presence in Unicode, and their relation to
fonts. While MathML is human-readable, in all but the simplest cases,
authors use equation editors, conversion programs, and other specialized
software tools to generate MathML. Several versions of such MathML
tools exist, and more, both freely available software and commercial
products, are under development.

RSA 2008: BT Trials Federated Identity Management

2008-04-09T00:25:00.002-07:00

BT is experimenting with a federated identity management system that
could be rollled out to its eight million internet users and corporate
customers. A commercial version would allow users to identify themselves
for websites and applications and other users to access data, do work
and transact business, said Robert Temple, BT's chief security architect.
Using CA's Siteminder software, BT is giving internal staff web access
to applications such as Peoplesoft, Siebel, Oracle Financials, Citrix,
an XML gateway, and a voice-verification system from Persay. Temple said
the company's intention is to provide managed user identity as a "common
capability" of the kind relatively common in IT but rare in
telecommunications. Temple said BT runs 32 discrete different networks.
As a result it has too many Radius identity authentication servers.
Learning how to consolidate how it manages user identities on all these
networks is the only way it would be possible to extend similar
safeguards to BT customers, he said. It has opted to use the Liberty
Alliance's Security Assertion Markup Language (SAML) 2.0 standard for
federated identity management. However, it has proved hard to find
external contractors willing and able to help BT as most were familiar
with earlier versions of SAML. Temple noted that relationships between
BT and organisations sharing its federated IDs were plagued by lawyers
and contracts. "In the end, we asked the lawyers politely to get out of
the way as we knew what we were doing," he said. Temple said this was
not to minimise the legal issues, which required partners to spend a
lot of time building trust in each other. These lessons would help to
reduce the learning curve for user organisations when the time came for
them to make more use of the web for business applications...

SCA Java EE Integration Specification Version 0.9

2008-04-09T00:25:00.001-07:00

On March 28, 2008 Version 0.9 of the SCA "Java EE Integration
Specification" was published by OSOA authors as part of the SCA
Service Component Architecture; contributors include BEA, Cape Clear,
IBM, Interface21, IONA, Oracle, Primeton, Progress Software, Red Hat,
Rogue Wave, SAP, Siemens, Software AG., Sun, Sybase, and TIBCO. The
specification defines a model of using SCA assembly in the context of
a Java EE runtime that enables integration with Java EE technologies
on a fine-grained component level as well as use of Java EE applications
and modules in a coarse-grained large system approach. The Java EE
specifications define various programming models that result in
application components, such as Enterprise Java Beans (EJB) and Web
applications that are packaged in modules and that are assembled to
enterprise applications using a Java Naming and Directory Interface
(JNDI) based system of component level references and component naming.
Names of Java EE components are scoped to the application package
(including single module application packages), while references, such
as EJB references and resource references, are scoped to the component
and bound in the Environment Naming Context (ENC). In order to reflect
and extend this model with SCA assembly, this specification introduces
the concept of the Application Composite and a number of implementation
types, such as the EJB implementation type and the Web implementation
type, that represent the most common Java EE component types.
Implementation types for Java EE components associate those component
implementations with SCA service components and their configuration,
consisting of SCA wiring and component properties as well as an assembly
scope (i.e. a composite). Note that the use of these implementation
types does not create new component instances as far as Java EE is
concerned. Section 3.1 explains this in more detail. In terms of
packaging and deployment this specification supports the use of a Java
EE application package as an SCA contribution, adding SCA's domain
metaphor to regular Java EE packaging and deployment. In addition, the
JEE implementation type provides a means for larger scale assembly of
contributions in which a Java EE application forms an integrated part
of a larger assembly context and where it is viewed as an implementation
artifact that may be deployed several times with different component
configurations.

Intel Releases SOA Security Toolkit

2008-04-09T00:24:00.002-07:00

Intel has introduced its SOA Security Toolkit as a release candidate.
Part of Intel's family of XML tools, the toolkit is a high-performance
software module that addresses the confidentiality needs of
services-oriented architectures (SOA) by providing XML digital
signatures, encryption, and decryption capabilities for SOAP protocol
messages. Enterprises adopting and deploying Service Oriented
Architecture (SOA) solutions rely on message formats defined in XML
(Extensible Markup Language). The extensibility, verbosity and
structured nature of XML create performance challenges for software
developers seeking to provide content security in this dynamic,
heterogeneous environment. The Intel SOA Security Toolkit is standards
compliant, for easy integration into existing XML processing environments
and is optimized to support the authentication, confidentiality and
integrity of complex and large-size XML documents. The Intel SOA Security
Toolkit 1.0 for Java environments is a high-performance policy-driven
API available for Linux and Windows. Compliant with WS-security 1.0/1.1
and SOAP 1.1/1.2 standards, the toolkit focuses on confidentiality,
integrity and non-repudiation for SOA environments. This toolkit enables
encryption and decryption of SOAP message data, digital signature and
verification via a wide range of security algorithms, using industry
standards, for both servers as well as application environments. The
toolkit lets users provide their own XML policy file as an input. Through
this policy file, users can specify for the API security policy engine
which key provider and trust manager to instantiate, using either a
custom or the default class loader implementation. The security policy
engine then applies the specified policy, obtaining the keys and
certificates through the specified key provider and perform the trust
check using the specified trust manager. The toolkit supports all types
of X509 certificates, private, and shared keys.

Cool URIs for the Semantic Web

2008-04-09T00:24:00.001-07:00

Members of the W3C Semantic Web Education and Outreach (SWEO) Interest
Group have published an Interest Group Note "Cool URIs for the Semantic
Web." It constitutes a tutorial explaining decisions of the Technical
Architecture Group (TAG) for newcomers to Semantic Web technologies. The
document was initially based on the DFKI Technical Memo TM-07-01, 'Cool
URIs for the Semantic Web' and was subsequently published as a W3C
Working draft in December 2007, and again in March 2008 by the Semantic
Web Education and Outreach (SWEO) Interest Group of the W3C, part of the
W3C Semantic Web Activity. The drafts were publicly reviewed, especially
by the TAG and the Semantic Web Deployment Group (SWD). Summary: The
Resource Description Framework RDF allows users to describe both Web
documents and concepts from the real world -- people, organisations,
topics, things -- in a computer-processable way. Publishing such
descriptions on the Web creates the Semantic Web. URIs (Uniform Resource
Identifiers) are very important, providing both the core of the framework
itself and the link between RDF and the Web. This document presents
guidelines for their effective use. It discusses two strategies, called
303 URIs and hash URIs. It gives pointers to several Web sites that use
these solutions, and briefly discusses why several other proposals have
problems. Given only a URI, machines and people should be able to retrieve
a description about the resource identified by the URI from the Web. Such
a look-up mechanism is important to establish shared understanding of
what a URI identifies. Machines should get RDF data and humans should get
a readable representation, such as HTML. The standard Web transfer protocol,
HTTP, should be used. There should be no confusion between identifiers
for Web documents and identifiers for other resources. URIs are meant
to identify only one of them, so one URI can't stand for both a Web
document and a real-world object.

Google App Engine Supports Scalable Application Development

2008-04-09T00:23:00.002-07:00

Google has announced the availability of its free Google App Engine which
provides a fully-integrated application environment, making it "easy
to build scalable applications that grow from one user to millions of
users without infrastructure headaches." According to the Google
announcement, "Google App Engine gives you access to the same building
blocks that Google uses for its own applications, making it easier to
build an application that runs reliably, even under heavy load and with
large amounts of data. The development environment includes the following
features: (1) Dynamic webserving, with full support of common web
technologies; (2) Persistent storage powered by Bigtable and GFS [Google
File System, a scalable distributed file system for large distributed
data-intensive applications] with queries, sorting, and transactions;
(3) Automatic scaling and load balancing; (4) Google APIs for
authenticating users and sending email; (5) Fully featured local
development environment. App Engine applications are implemented using
the Python programming language. The App Engine Python runtime environment
includes a specialized version of the Python interpreter, the standard
Python library, libraries and APIs for App Engine, and a standard
interface to the web server layer. Google App Engine and Django both
have the ability to use the WSGI standard to run applications. As a result,
it is possible to use nearly the entire Django stack on Google App Engine,
including middleware. As a developer, the only necessary adjustment is
modifying your Django data models to make use of the Google App Engine
Datastore API to interface with the fast, scalable Google App Engine
datastore. Since both Django and Google App Engine have a similar concept
of models, as a Django developer, you can quickly adjust your application
to use our datastore. Google App Engine packages these building blocks
and takes care of the infrastructure stack, leaving you more time to
focus on writing code and improving your application... This preview of
Google App Engine is available for the first 10,000 developers who sign
up, and we plan to increase that number in near future. During this
preview period, applications are limited to 500MB of storage, 200M
megacycles of CPU per day, and 10GB bandwidth per day. We expect most
applications will be able to serve around 5 million pageviews per month.
In the future, these limited quotas will remain free, and developers will
be able to purchase additional resources as needed..."

New WSO2 Identity Solution Feature-Rich with OpenID

2008-04-09T00:23:00.001-07:00

Developers today announced the "WSO2 Identity Solution", which enables
LAMP and Java websites to provide strong authentication based on the
new interoperable Microsoft CardSpace technology. New features in
version 1.5 include: (1) OpenID Provider and relying party component
support; (2) OpenID information cards based on user name-token credential
and self issued credential; (3) SAML 2.0 support. "This new release
includes OpenID and OpenID Information Cards, further enhancing the WSO2
Identity Solution to cater to a wider audience for web based
authentication. OpenID is a key feature in decentralizing single sign-on,
much favored by many users. The WSO2 Identity Solution is built on the
open standards Security Assertion Mark-up Language (SAML) and WS-Trust.
This version supports SAML version 2.0 in addition to 1.1 which was
available in the previous version of the WSO2 Identity Solution. WSO2's
open source security offering features an easy-to-use Identity Provider
that is controlled by a simple Web-based management console and supports
interoperability with multiple vendors' CardSpace components. This
includes those provided by Microsoft .NET. The WSO2 Identity Solution
also works with current enterprise identity directories, such as those
based on the Lightweight Directory Access Protocol (LDAP) and Microsoft
Active Directory, allowing them to leverage their existing infrastructure.
In addition to the Identity Provider the WSO2 Identity Solution provides
a Relying Party Component Set which plugs into the most common Web
servers to add support for CardSpace authentication and now OpenID."
The software is available for download, governed by the open source
Apache License, Version 2.0.

First Public Draft: Health Care and Life Sciences (HCLS) Knowledgebase

2008-04-09T00:22:00.002-07:00

Members of the W3C Semantic Web in Health Care and Life Sciences
Interest Group (HCLS) have released a First Working Draft for a "HCLS
Knowledgebase" specification. This document is one of two initial WDs.
The HCLS Knowledgebase (HCLS-KB) is a biomedical knowledge base that
integrates 15 distinct data sources using currently available Semantic
Web Technologies such as the W3C standard Web Ontology Language (OWL)
and Resource Description Framework (RDF). This report outlines which
resources were integrated, how the KB was constructed using freely
available triple store technology, how it can be queried using the W3C
Recommended RDF query language SPARQL, and what resources and inferences
are involved in answering complex queries. While the utility of the KB
is illustrated by identifying a set of genes involved in Alzheimer's
Disease, the approach described here can be applied to any use case
that integrates data from multiple domains. A second document
"Experiences with the Conversion of SenseLab databases to RDF/OWL"
shares implementation experience of the Yale Center for Medical
Informatics: "One of the challenges facing Semantic Web for Health
Care and Life Sciences is that of converting relational databases
into Semantic Web format. The issues and the steps involved in such
a conversion have not been well documented. To this end, we have
created this document to describe the process of converting SenseLab
databases into OWL. SenseLab is a collection of relational (Oracle)
databases for neuroscientific research. The conversion of these
databases into RDF/OWL format is an important step towards realizing
the benefits of Semantic Web in integrative neuroscience research.
This document describes how we represented some of the SenseLab
databases in Resource Description Framework (RDF) and Web Ontology
Language (OWL), and discusses the advantages and disadvantages of
these representations. Our OWL representation is based on the reuse
of existing standard OWL ontologies developed in the biomedical
ontology communities." The mission of the W3C Health Care and Life
Sciences (HCLS) Interest Group is to show how to use Semantic Web
technology to answer cross-disciplinary questions in life science that
have, until now, been prohibitively difficult to research. The
success of the group continues to draw industry interest. W3C Members
are currently reviewing a draft charter that would enable the renewed
HCLS Interest Group to develop and support use cases that have clear
scientific, business and/or technical value, using Semantic Web
technologies in three areas: life science, translational medicine,
and health care. W3C invites Members to review the draft charter
(which is public during the review), and encourages those who are
interested in using the Semantic Web to solve knowledge representation
and integration on a large scale to join the Interest Group.

DMTF SM CLP Specification Adopted as an ANSI INCITS Standard

2008-04-09T00:22:00.001-07:00

The Distributed Management Task Force announced a major technology
milestone in achieving "National Recognition with a Newly Approved ANSI
Standard." Its Server Management Command Line Protocol (SM CLP)
specification, a key component of DMTF's Systems Management Architecture
for Server Hardware (SMASH) initiative, has been approved as an American
National Standards Institute (ANSI) InterNational Committee for
Information Technology Standards (INCITS) standard. DMTF will continue
to work with INCITS to submit the new ANSI standard to the International
Standards Organization/ International Electrotechnical Commission
(ISO/IEC) Joint Technical Committee 1 (JTC 1) for approval as an
international standard. The INCITS Executive Board recently approved the
SM CLP standard, which has been designated ANSI INCITS 438-2008. INCITS
is accredited by ANSI, the organization that oversees the development of
American National Standards by accrediting the procedures of
standards-developing organizations, such as INCITS. SM CLP (DSP0214) is
a part of DMTF's SMASH initiative, which is a suite of specifications
that deliver architectural semantics, industry standard protocols and
profiles to unify the management of the data center. The SM CLP standard
was driven by a market requirement for a common command language to
manage a heterogeneous server environment. Platform vendors provide tools
and commands in order to perform systems management on their servers.
SM CLP unifies management of multi-vendor servers by providing a common
command language for key server management tasks. The spec also enables
common scripting and automation using a variety of tools. The SM CLP spec
allows management solution vendors to deliver many benefits to IT
customers. The spec enables data center administrators to securely manage
their heterogeneous server environments using a command line protocol
and a common set of commands. SM CLP also enables the development of
common scripts to increase data center automation, which can help
significantly reduce management costs... The CLP is defined as a
character-based message protocol and not as an interface, in a fashion
similar to Simple Mail Transfer Protocol (RFC 2821). The CLP is a
command/response protocol, which means that a text command message is
transmitted from the Client over the transport protocol to the
Manageability Access Point (MAP). The MAP receives the command and
processes it. A text response message is then transmitted from the MAP
back to the Client... The CLP supports generating XML output data
(Extensible Markup Language, Third edition), as well as keyword mode
and modes for plain text output. XML was chosen as a supported output
format due to its acceptance in the industry, establishment as a
standard, and the need for Clients to import data obtained through the
CLP into other applications.

XML and Government Schizophrenia

2008-04-08T04:32:00.001-07:00

The U.S. Government is very leery of technology fads and that is why
it often has a love/hate relationship with XML. For every technology
that exists, the government has a huge legacy investment. So, while the
corporate world may turn on a dime and quickly adopt the latest and
greatest thing -- the government must contend with huge legacy issues,
a two-year (minimum) budget planning cycle, and a horde of technologists
actively engaged and personally invested in that legacy technology that
you want to throw away! [...] Let me briefly discuss a program that I
initiated when working for the Department of Homeland Security (DHS).
The National Information Exchange Model (NIEM) started as a joint-venture
between DHS and the Department of Justice (DOJ) to harmonize and speed
up the process of information sharing between the federal government
and state and local governments -- actually State, Local and Tribal
governments. The basic idea is that it combines a registry of standard
data objects (modeled via XML Schema), a process for quickly producing
an exchange message, a governance process for the model, and robust tool
support. The model leveraged and extended an existing model called the
Global Justice XML Data Model (GJXDM). It is widely used by law
enforcement at all levels of government and now is also being widely
used at DHS. It has multiple success stories behind it including the
Amber Alert and the national sex offender registry. I highly encourage
everyone to look at it and help make it better. So, what does this mean
for Government Schizophrenia? For information sharing, XML is a favorite
but is attacked continuously in relation to weak data modeling support,
weak encoding of binary objects, performance issues, and many more...

Web Oriented Architecture (WOA) May Soon Eclipse SOA

2008-04-08T04:31:00.004-07:00

A recent blog post questions whether services oriented architecture
(SOA) was driving substantive transformation inside of enterprise IT.
My conclusion is that something is not quite right in SOA-ville. The
uptake of general-purpose service enablement is by no means a hockey
stick trend line. The adoption patterns some five years into the SOA
evolutionary path do not show a slam dunk demand effect. The role,
impact and importance of SOA is, in fact, ambiguous -- still. Many
see it as merely an offshoot of EAI, rather than a full-blown paradigm
shift. Meanwhile, some other trends that do demonstrate more of a
hockey stick adoption pattern -- social media, Ruby/Phython, RESTful
interactions, and RIAs -- are worth a fresh look in the context of SOA.
The new kids on the innovation block are experimenting at break-neck
speed with social media, social networking, Ruby on Rails, SaaS, Python,
REST and the vital mix of rich Internet application (RIA) approaches.
Something is going on here that shows the compelling attraction of
better collaboration and sharing methods, of self-defining social and
work teams, of faster and easier applications development, of not
moving old systems to the Web but just moving to the Web directly, and
the recognition that off-the-wire applications with fine UIs are the
future... I'm wondering now whether the window for holistic SOA
deployment and value, as it has been classically defined, is being
eclipsed. Is it possible that Web interfaces and data disintermediation
for legacy applications will be enough? Is it possible that exposing
the old applications, and reducing costs of IT support via consolidation
and modernization is enough? In short, is the path of least resistance
to business transformation one that necessarily requires a fording of
the SOA stream? Or is there a shorter, dry path that goes directly to
Web oriented architecture? Is SOA therefore the impediment or empowerment
to transformation on the right scale and at Internet time?

SaaS Single Sign-On: It's Time for a Lighter Approach

2008-04-08T04:31:00.003-07:00

SaaS brings a lot of advantages to businesses - no need to invest in
purchasing and maintaining licenses and infrastructure, and no need
to worry about upgrades and bug fixes. Larger companies, however, face
a major challenge related to user authentication and management. Larger
companies have invested a lot of time and effort in improving user
productivity, compliance and security, and in cutting user management
costs. They have done so using technologies like single sign-on and
centralized user management. SaaS applications are now challenging
those efforts and threatening to bring them back to the situation
where every user has several different usernames and passwords and
the customers have several different user directories to maintain.
Currently there are a few common ways for SaaS providers to give users
single sign-on and/or to let customers use their internal user management
solutions to manage access to the SaaS application: (1) Identity
federation; (2) Delegated authentication; (3) Encrypted links; (4)
User directory synchronization. Identity federation, as a concept,
is exactly what is needed -- SaaS providers can offer customers single
sign-on and automated user management based on current information in
their internal user directory. Identity federation based on SAML,
WS-Federation or ADFS, however, requires each customer to invest in
and roll out software compliant with those technologies... Delegated
authentication provides users single sign-on by using an existing
logon, for instance on a corporate intranet, to generate tokens that
can be used to grant access to a SaaS application. However, delegated
authentication does not bring any help to maintenance of user profiles
and access rights, which still have to be maintained manually in the
application. It also requires time and technical resources by the
customer... Google Analytics, the SaaS application for monitoring web
site usage, offers a different and interesting view to the problem.
Each Analytics customer needs to integrate Analytics with its web site
in order to be able to collect and monitor usage statistics. By
choosing a scripting integration model requiring only a few lines of
JavaScript on the web pages, Google managed to lower the requirements
on the customers' web sites and the technical skills required to do
the integration. As a result, they managed to get hundreds of thousands
of customers in 18 months...