Where Did That XML Traffic Come From? I Thought AJAX Was a Cleaner...
Think you have a carefully planned migration to XML and Web Services? Don’t look now, but XML is about to start coming in from unexpected sources.
Architects and developers have been coming up to speed on a group of closely related technologies: XML, Web Services and Service Oriented Architecture. In most companies, the integration of these technologies has involved considerable thought and planning. Much like the Dutch boy and the dike, it looks as though XML is now starting to every direction.
This growing influx of XML is coming from user-generated XML. The source getting most attention recently is AJAX. Suddenly the power of asynchronous user interface handling is becoming evident and it is generating a lot of XML traffic - it is already coming across your enterprise boundaries. Each of your users accessing Google Maps, Gmail or the new Yahoo mail client, or using the upcoming Microsoft Web Mail Browser (kahuna), is already driving XML across your firewall. The next major driver for user-generated XML (appearing towards the end of this year) will be the introduction of Microsoft’s Office 12 with XML document formats and Web services based integration functionality.
So you think your server XML traffic loads are going to be large when application-to-application interactions over Web Services take hold? Wait until you hit the hundreds or thousands of additional XML messages and content driven by your average users.
Much has been written about the implication of application-to-application Web services on application control and security. While many application and network architects have taken a wait-and-see approach to dealing with XML Web services network traffic, the rapid escalation of user generated XML will introduce security, bandwidth and latency issues much faster than existing network and application server infrastructure can address them.
Standard network security solutions already pass XML traffic through because it looks like any other browser-generated http: traffic. Simple solutions that try to block any incoming traffic that appears to contain XML, are going to be even more useless. Lots of XML traffic is going to be coming from lots of perfectly valid sources in your intranet, your extranet and from the big bad Internet.
Fortunately there are standards and solutions that address the fundamental issues of XML and Web Service security now. However, composite and work-flow applications are going to have a hard time both separating good and bad XML traffic and controlling trusted access to Web Services. Message-based attacks--- replay attacks, out of order message attacks and just plain fraudulent message insertions--- are going to be easier to perpetrate in the blizzard of XML traffic that will be flowing through your network firewalls and around your internal networks.
AJAX, introduces a host of new threats and security issues that Web application developers may not. Effective use of Ajax requires the efficient processing of XML and verification of identity and access rights. Security functions including signing, encryption, identity verification (not to mention threat mitigation such as schema validation, content inspection and denial-of-service detection) are really expensive. Expensive enough that they bring your average server platform to its knees---around 300-400 transactions per second for simple processing dropping to just tens of transactions for security functions.
Message-level security features have to be utilized. The flow of traffic in our new loosely-coupled, re-usable-business-service world cannot be secured effectively using simple session-based solutions like SSL. Fortunately network intermediaries such as XML Security Gateways come to the rescue to off-load XML, security and trust processing from the application platforms.
AJAX is here. Every application development environment and packaged application is generating XML and Web services interfaces. Microsoft Office embeds it. User generated XML will dramatically affect our IT and network infrastructure. The XML processing load, and more importantly the security of XML content, has to be addressed. Enterprise quality XML-enabled networks must route, filter, transform, monitor, audit and protect the privacy of XML messages based not only on URI’s, but also on identities and content.
We are about to be deluged by XML in all of our organizations, ready or not.
Trackback URL for this post: http://www.webservices.org/trackback/id/72217