Reflecting on Web Services DevCon East. This conference was easily the best one I attended in a long time -- and I go to a lot of conferences. It's rare that I sit through nearly all talks anywhere, but this was definitely different. If any conference would ever be worth the "summit" moniker, this is it. The coolest aspect of the conference was that with all the Microsoft, IBM and Axis folks, the spirit of interop was in the air -- so much in contrast to the wars the kids in the newsgroups are waging. We may all have our own tastes regarding programming models, languages and runtimes, but we're happily agreeing on most things going on on the wire.
Brian Jepson has a good review of all talks: Thursday, Friday.
Regarding my talk at DevCon:
I am trying to wrap up the setup for the very last demo, the "ASP.NET Soap Extension" wizard for C# in VS.NET today. Tim Ewald suggested that I make the various options switchable ([X] Extend WSDL, [X] Handle BeforeSerialize, etc.) before code generation and that's what I want to add before releasing it. The wizard will help you jump start writing the type of extensions that I have been developing over the past six months and which I showed in my talk. The Security and Transaction packages come with free source code and the Session and Management extensions come as a free binary package right now.
I was stunned by the way my stuff was received and how most people in the audience hadn't seen those extensibility points in ASMX yet -- or at least not "in action". I would like to encourage everyone who hasn't done so yet to grab the security package and peek into the source code to find out what ASMX can do for you.
Issues with my WS-Security stuff
Having said that, there are a couple of issues with the current state of the security extensions that I am going to fix (and am already fixing) for a future build. These are mostly related to the Kerberos aspects and don't really affect functionality, but are rather related to the WS-Security mapping per se.
WS-Security mandates that the session tickets are packaged as "raw" RFC1510 session tickets. The problem is that neither GSSAPI nor the Kerberos SSP will give you those. So, I am currently sending GSSAPI-interoperable session tickets and have already had some feedback from third parties that this indeed works. What I am going to correct is not my implementation, but I am actually going to add a "Kerberos V5 ST, GSSAPI wrapped" ticket type, since I think that's the proper way to do it right now.
I don't support signatures, because, again, I can't implement that on top of the Kerberos SSP. The WS-Security spec mandates that signatures are created using the Kerberos session key, which isn't exposed by the Kerberos SSP. Instead, the Kerberos SSP provides a signature function that creates a wrapped signature that can't be made compliant with the spec. For this, I am yet again going to make a spec extension to make that work for me.
Like it or not, these standards are all in a 0.x release state and if I can't implement them on the current technology set, I am going to make them work for me. As long as I am using the defined extensibility points as defined in the specification (inventing your own security tokens is just fine) and as long as I don't cause collisions, all is cool.
In a future build I'll also likely retire my own "user-name authentication" implementation and integrate the whole stuff with the Microsoft WSDK, including an attribute-driven mapping for Microsoft's X.509 authentication.
The other stuff
I showed how to use WMI to monitor you web services' activities for performance, logging and exception monitoring using the management extensions I wrote. Now, this stuff along with the session extensions is explicitly not "open source" and the license for the free download restricts use to evaluation, because ... well .. I am not as much Mother Teresa as it may seem. The current license is sufficient for demo purposes and that's what they were built for. If there is enough interest (enlist here: firstname.lastname@example.org), and it seems so right now, all of the extensions and a few more that we have brewing will be promoted from "demo status" to "production status", will get a serious review and some real QA, and they'll be available for commercial licensing as part of an "SDK subscription" (with full source), which will also include the Enterprise Services Utilities. As much as I enjoy doing these things and share them with everyone, we need to start covering our development cost in some way. Watch this space for this status going from "maybe" to "we'll do it".
We have a "Web Services Architectural Guidance" workshop format available as part of our training & education portfolio. The workshop covers architectural considerations and challenges for building both public and intranet based web services. This workshop format has been co-developed with CBDi and Microsoft EMEA and can be customized for decision maker, architect and developer audiences. The architect and developer tracks include in-depth coverage of all the extensibility tips & tricks for ASP.NET-based Web Services (this is what the extension stuff was really built for). The workshop is immediately available for in-house delivery by us anywhere in the world. Based on interest by individuals, we'll also consider setting up central workshops at some locations. (email@example.com).