Web Services discussion at CSG
This morning we're talking about Web Services and how they're being used in higher education institutions. Mark Franklin from Dartmouth is giving a quick rundown of what Web Services are either "a great way to unfetter apps from security restrictions" or "a conspiracy to circumvent firewalls by opening port 80 to all sorts of things" :)
Of course when we talk about Web Services (as opposed to web services), we really mean program-to-program communication using SOAP and WSDL, usually over http. (if you understand that, then you're ready for the brave new world). As I understand it, WSDL describes the program interface for your application, SOAP is the "envelope" that web services transactions are wrapped in, and UDDI is supposed to be a way of allowing programs to discover what services are available. As Bob Morgan notes, UDDI can look a lot more like exposing your vulnerabilities to the world than it does a way to discover business practices.
Bob further points out that what makes Web Services different from CORBA, COM, DCE, et al, that at the simplest level Web Services are text messages, and if you really wanted to, you could type a Web Services message into your text editor and send it over the wire and get it to do something useful - so under the mantra of "making simple things simple" it might be both useful and popular.
As usual with this crowd, security is a big concern, and the consensus here is that security of web services is not at all a solved problem, either for authentication/authorization or in the buffer overflow/open compromise senses.
Gavin Eadie from the University of Michigan pointed to the useful web site WebMethods which has lots of useful pointers to web services that are actually out there for people to try, and ways to try using them.
Tim Sigmon from U Va is talking about the Fedora digital repository that Cornell and UVa have built, which uses Web Services for both internal and client access.
Leave a comment