From the Desk of Mohamad Afshar, PhD

Mohamad Afshar

Subscribe to Mohamad Afshar: eMailAlertsEmail Alerts
Get Mohamad Afshar: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Related Topics: Java EE Journal, XML Magazine, SOA & WOA Magazine, ERP Journal on Ulitzer


SOA in Action Case Study: LibGo Travel

Experiences with caching, transactions, and security in a highly distributed, networked SOA in the travel and leisure industry

Pragmatism Pays with Security
LibGo has agents in stores, consumers online, and call center service representatives. The agents are responsible for bookings; managers must be able to obtain information on bookings and override policies. Given that the composite application incorporates business logic in NGTS, many ERP modules, and partner systems, the main challenge was to install a common access, authentication, and authorization framework across the applications that would enforce security and also enable auditing and logging (for compliance reasons).

To achieve this, LibGo used the HR model in Oracle e-Business Suite HRMS, along with Oracle Application Server Single Sign-On (SSO) and Oracle's Internet Directory (OID) LDAP store. User, resources, and entitlements from Oracle HR are populated into the OID store, which has application-specific objects. Every application and role has a set of entitlements; for example, agents may be allowed to accept partial payment for over-the-phone bookings, but customers who use the Web interface cannot do the same. All applications are then registered with SSO to provide SSO and role-based authentication for all applications via JAAS (the Java package that lets applications authenticate and enforce access controls upon users). LibGo uses Oracle Application Server Portal and SSO to consolidate services and bind them into a user interface, and to provide a common security and personalization framework for enabling access to packaged applications, business intelligence and reporting applications, and composite applications in NGTS.

To secure communications between LibGo and external partners, we took a pragmatic approach of using secure frame relay lines with VPN as a backup solution. Such Web-based security approaches are a little heavy-handed because they often secure the entire wire protocol rather than just the SOAP message that is sent over the protocol. Further, for many message-based integration projects, several intermediary steps are necessary before messages arrive at their target endpoint, and transport-level security leaves the messages unsecured at each intermediary checkpoint.

To achieve a finer level of control and to avoid the intermediary security issues, LibGo is moving from today's existing transport-level security to message-level security. WS-Security defines a mechanism for adding three levels of message-level security to SOAP messages:

  • Authentication Tokens: WS-Security authentication tokens let clients send, in a standardized fashion, username and password or X.509 certificates for authentication within the SOAP message headers
  • XML Encryption: WS-Security's use of the W3C's XML Encryption standard lets the SOAP message body, or portions of it, be encrypted to ensure message confidentiality
  • XML Digital Signatures: WS-Security's use of the W3C's XML Digital Signature standard lets SOAP messages be digitally signed to ensure message integrity. Typically, the signature is a computed value based on the content of the message itself: if the message is altered en route, the digital signature becomes invalid.
Though the flexibility and interoperability afforded by WS-Security is ideal, while implementations are developing, our transport-level security is good enough to secure single conversations.

Building an enterprise-wide SOA is challenging. As more capabilities move into standards and into the middleware stacks of the vendors, however, the task should become easier. For example, when LibGo embarked on this project, Web services orchestration solutions were in their infancy. Now, it is possible to get high-performance, manageability, auditability, exception management, and a framework for building compensating transactions from BPEL Process Manager. In building out our SOA, we had a clear view of the evolution of standards and how capabilities around security and transaction management would work their way into products. When building your SOA, make sure you have this view - so you don't end up producing tomorrow's legacy systems.

More Stories By Mohamad Afshar

Mohamad Afshar, PhD, is VP of Product Management at Oracle. He has product management responsibilities for Oracle's middleware portfolio and is part of the team driving Oracle's investments in SOA on Application Grid - which brings together SOA and data grid technologies to ensure predictable low latency for SOA applications. Prior to joining Oracle, he founded Apama, a complex event processing vendor acquired by Progress Software. He has a PhD in Parallel Systems from Cambridge University, where he built a system for processing massive data sets using a MapReduce framework.

More Stories By Armughan Rafat

Armughan Rafat is the lead architect of LibGo?s Next-Generation Travel System (NGTS). Rafat, who has been building large distributed systems for more than 10 years, holds an MS in Software Engineering and Technology Management and is certified for the Microsoft, Sun, and Oracle platforms. Prior to working at LibGo, he led projects at AT&T and Lucent as a lead architect. He specializes in creating Enterprise Architectures for large-scale projects and writes a blog on Enterprise Architecture.

More Stories By Markus Zirn

Markus Zirn is a senior director of product management for Oracle Fusion Middleware. He heads the Strategic Customer Program, where he works with Oracle's most innovative middleware customers. Recently, he produced the "SOA Best Practices-The BPEL Cookbook" series on Oracle Technology Network. He has practical experience designing and optimizing business processes - conducting multiple business process re-engineering projects while a consultant with Booz Allen Hamilton. He holds a master's degree in electrical engineering from the University of Karlsruhe, Germany; the University of Southampton, U.K.; and ESIEE, France.

Comments (1)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.