The Web Services Enhancements (WSE) 2.0 toolkit gives advanced developers early access to important Web services protocols. In particular, the toolkit enables developers to become familiar with and implement Web services message security before the release of "Indigo," Microsoft's upcoming technology for Web services development. While the toolkit is now fully supported for production use, developers should be aware of possible compatibility issues before charging ahead.

Toolkit Supports Latest Web Services Standards

Key Web services protocols supported in WSE 2.0 include the following:

WS-Security provides message encryption and defines how security tokens (such as X.509 certificates and Kerberos tickets) should be encoded and attached to Simple Object Access Protocol (SOAP) messages. This enables messages to remain secure even when stored in databases or queues, or when sent between sites that don’t have a secure, end-to-end network connection. WS-Security was recently ratified by the Organization for the Advancement of Structured Information Standards (OASIS), a vendor consortium for XML standards.

WS-Trust allows developers to create Web services that issue security tokens, thereby allowing organizations to establish trust relationships with business partners and avoid the difficulties of maintaining credential information for employees of the partner company.

WS-Policy allows a Web service to describe its service requirements and capabilities. For example, a Web service using WS-Policy can inform clients that messages must be encrypted.

WSE 2.0 introduces a new programming model which is different from that used in the initial release of Visual Studio .NET and the .NET Framework, but which is better suited for developing Web services that use the emerging WS-* specifications. In particular, it directly exposes the message pipeline and the SOAP headers and envelopes of messages to developers, giving them the ability to access message fields governed by WS-*.

Ready for Production, with Caveats

New features in the toolkit since its 2003 Technical Preview release include a Policy Wizard, which helps automate implementation of security policies in Web services. This release of the toolkit is eligible for full product support from Microsoft for the same period as Visual Studio 2003, which implies full support through 2008. The Technical Preview, in contrast, is supported only through 2006. Furthermore, Microsoft will now support redistribution of WSE 2.0 technology with applications, making it feasible to use in commercial applications.

Nevertheless, the WS-* specifications are still a work in progress, and Microsoft cannot guarantee source-code compatibility between versions of the toolkit, or between the toolkit and the first release of Indigo. Microsoft is guaranteeing, however, that Indigo will support the same WS-* protocols as (and therefore be interoperable with) the version of WSE that immediately precedes it; presumably this means WSE 2.0.

Despite the risk of future source code incompatibility, companies such as Edgar Online and Hewlett-Packard have built production solutions on the kit. Other companies should carefully evaluate whether they need the message-level security and federation capabilities of the WS-* standards now. Some will be better off waiting for those capabilities to be delivered in Indigo or relying on the existing security capabilities of network protocols such as Secure Sockets Layer.

Microsoft's Web services developer center is msdn.microsoft.com/webservices/.

For further information on Indigo, see "Indigo to Aid Web Services Development" on page 22 of the June 2004 Update.