Kit helps you to create safe "Liberty" Web services

• By John K. Waters
• November 4, 2002

[PROGRAMMERS REPORT, November 5, 2002] -- Web services protocols promise loosely coupled application integration, but securely authorizing and authenticating users as they navigate Web services apps could be a programmer's nightmare. While bits and pieces of identification infrastructure could be assembled from specs in the past, one firm has focused on tools that ease security development for Liberty Alliance Web services implementations.

Secure and reliable management of Web-based identification and authentication is the very raison d'etre of the Liberty Alliance Project, a coalition of companies formed last summer to deliver and support a federated network-identity solution for the Internet that enables single sign-on for consumers and business users.

''The idea is to create standards for identifying users the first time they log on and then letting other sites recognize and authenticate the user,'' explained Roger Sullivan, president of Phaos Technology. ''Security is an essential component of any commerce activity on the 'Net, and that's what this federated alliance is driving toward.''

Phaos was an early supporter of the alliance. The New York-based company released a toolkit for developing applications based on the Liberty specifications last July, just about the time the specs were announced.

Recently, the company released the 2.0 version of that toolkit. The Phaos Liberty Toolkit supports Liberty's sign-on authentication and authorization specifications. The Java-based toolkit allows developers to build single sign-on support into apps, and supports the consolidation of multiple enterprise authentication schemes via new XML-based Web services architectures. The toolkit also supports XML digital signatures and XML encryption.

The company also announced the Phaos XML Toolkit 2.0, a Java toolkit for building secure XML-based apps, as well as Phaos SAML 1.0, which provides a protocol to communicate assertions of an entity's security attributes, authentication and authorization.

''What we provide is what we call the Liberty service-enabling components,'' Vamsi Motukuru, CTO at Phaos, told Programmers Report. ''Our toolkit allows you to create the Liberty protocol messages and provides support for exchanging these messages. It allows you to create, say, a single sign-on request message. It provides various security options, like signing or encryption.''

Motukuru said the software also provides integrated functionality that supports SOAP message transport over SSL connections. The software can also take advantage of cryptographic hardware to perform security operations.

The brainchild of Sun Microsystems, the Liberty Alliance spec is an alternative to Microsoft's .NET Passport initiative. The group's main goals are to solve authentication problems for users logging on to Web services.

''The Liberty SDK gave customers a collection of tools from which they could build their own Liberty-compliant application,'' Phaos Technology's Sullivan said. ''All the components were there, but [developers] had to put them together. With this toolkit, we've assembled the pieces into a unified collection to make it easier for them to build a Liberty-compliant application.''

A time-limited evaluation copy of the Phaos Liberty Toolkit is available for download at http://www.phaos.com/products/liberty/liberty.html.

Links:
For other Programmer Report articles, please go to http://www.adtmag.com/article.asp?id=6265