We spoke with Apigee’s Sam Ramji recently. He and the company, which focuses on API products for enterprises and developers, find themselves among those at the center of one of the rising trends in security services: OAuth.
In the past Ramji led open-source strategy across Microsoft, and was a founding member of BEA’s AquaLogic product team. He now acts as strategist for Apigee, where, along with others, he writes for the Apigee API Best Practices blog. He likens the token-based OAuth protocol to a valet key that allows users to go from Web site to Web site (from Twitter to TweetDeck, from Facebook to Twitter, from the New York Times to Facebook, and so on) without multiple logins.
”OAuth allows an application to act as an intermediary to services like Twitter – etcetera – on behalf of the end user,” he said. This type of token service for site hopping is a key mark of the Web 2.0 and the so-called ”App Economy” today. “We couldn’t have done this years ago,” said Ramji.
OAuth is said to play nicely with widely used Web-based REST methods. Moreover, Ramji suggested that OAuth makes a ”good enough” security service available to a broader group of developers. The mobile device explosion seems likely to expand OAuth use.
Previous alternatives involve a more complex set of processes for developers to learn. Of course, OAuth has its limits. OAuth aims directly at site-to-site application-to-application hopping over HTTP. It would be used in some enterprises along with SAML, OpenID and other more complex security services located as gateways nearer to vital backend systems.
OAuth can be seen as an indicator of a sea change in services, said Ramji. ”It is as a token-based security system that allows users’ account information to be used by a third-party application in a way that does not expose the user name and password to that application.”
What can go wrong? ”The process of wiring up OAuth is pretty complicated for the average developer,” said Ramji. ”Also, it is still a spec in motion. No two apps really quite line up easily.”
Apigee’s work is emblematic of the work of API-intensive companies that may change the economics of the software industry. –Jack Vaughan
The mobile web application development world may create many unanticipated aches and pains if word out of Adobe this week is a guide. The company said it would give up work on Flash plug-ins for mobile browsers.
Of course, the late Steve Jobs’ well-publicized disdain for Flash – he cited speed and memory issues among others – put Flash-on-the-iPhone into a skid well over a year ago. It had been perhaps the most ubiquitous web browser plug-in on PCs.
HTML5 has been on the rise in the mobile space, but why abandon a flagship product on the hot mobile platform?
Since the initial announcement met much concern among Flash development community members, an Adobe manager of developer relations looked to clarify things. Adobe’s Michael Chambers emphasized the cost of mobile development efforts due to mobile devices’ :
• Differences in screen sizes, resolution and interaction models between mobile devices and desktop PCs
• Generally slower, and higher latency network connections (which is often metered) on mobile devices, which makes it cumbersome, sometimes expensive, and sometimes impossible to repeatedly load rich content from the web on demand.
• The tight integration with the underlying operating systems that native applications provide.
• The tight integration between mobile app stores and the mobile operating systems, which removes most of the friction for discovering new content.
” For each new device, browser and operating system released, the resources required to develop, test and maintain the Flash Player also increases,” he continued. If it is true that this is difficult for one of the largest software companies, how vexing will mobile development strategy be for development heads at non-software companies? What do you think?
The ‘creator of Lisp’ may be nicer than the ‘father of garbage collection.’ But John McCarthy could answer to either sobriquet. He died last week, at 84.
With Lisp, he gave a language to artificial intelligence and set the stage for reasoning systems and robots still a’borning. With garbage collection, he began to solve a problem that had begun to stymie computer advances.
Here, for perspective, is OMG leader Richard Soley’s take on the work of John McCarthy:
Although I never had the opportunity to meet Prof. McCarthy (he inconveniently left MIT for Stanford about the time I was born), his life and work had a profound influence on me. I worked on MacLisp, CommonLisp and other Lisp systems the entire time I was at MIT, including a detailed stint on garbage collection systems (which he invented, before I was born). The ideas that he brought to computer science, cognitive science and the nascent field of artificial intelligence (the name of which he coined) were literally decades ahead of their time, and that kind of forethought is rare. I was lucky enough to work with some of his contemporaries, but many, many of his students; his life’s work enriched mine tremendously.
Increasingly, serious SOA efforts are about managing a portfolio. That means sorting through the corporate assets to see what should be service-enabled, what should be left as is, and what should be retired. This is all about the wider, enterprise view.
It is hard to ultimately succeed with SOA services unless you take the wider view. That view must include an understanding of the organization’s overarching goals. SOA has a technical angle, yes. But too often, SOA advocates have sent the business owner into trances with technical particulars – WSDL handshakes, ESB performance tuning metrics or service normalization patterns.
A shared vocabulary is what is needed, writes William Ulrich, head of TSG consultancy, featured in a recent SearchSOA article on application modernization issues. He sees the term and practice of business architecture gaining definition. Check out ”William Ulrich on ‘Business Architecture’- Seeking a common language.” – Jack Vaughan
The Microsoft Azure cloud effort is a fairly stupendous technology undertaking, but it remains somewhat unknown beyond the ranks of .NET development teams. At the outset, Microsoft started with a bit of clean slate – it skipped SQL support. Based on customer feedback, it has adjusted along the way, supporting relational data as well as non-relational, and coming up with a pretty robust offering in the process. Continued »
SOA has driven major shifts in programming and computing. But major shifts mean major challenges and disruptions. In fact, although SOA has been around for a while, people are still busy solving some basic problems. Continued »
A year ago at Oracle OpenWorld/JavaOne in San Francisco , Java creator James Gosling was sited around the show periphery, people wondered what kind a Java steward Oracle would turn into, Oracle CEO Larry Ellison began selling hardware and took pot shots at Mark Benioff’s Salesforce.com cloud.
This year, a fair consensus held that Oracle might be a little better than Sun Microsystems at moving Java along, Gosling was sited around the show periphery, Oracle CEO Larry Ellison continued to sell hardware and again took pot shots at Mark Benioff’s Salesforce.com cloud.
At the event, Oracle tried to push JavaFX forward, while moving on the HTML5 front as well. It discussed closure support for J EE 8 and Project Jigsaw, a new form of module system standardization. Meanwhile, Glassfish was demoed with cloud deployment features.
But Oracle’s big cloud push may take the form of cloud management software such as its new Enterprise Cloud Manager. Among other things, this software will go in, study your present systems, and then come up with an architecture you can use to take your applications to the cloud. The end result still seems to include a healthy helping of the Oracle SQL RDB – this despite the company’s roll-out of some alternative Hadoop and NoSQL support at the conference. As with a lot of Oracle software these days, the NoSQL software rides some fairly high-end Oracle hardware.
When seeking comparisons to the Oracle cloud, Oracle leader Ellison ignored most alternative clouds, to focus on Salesforce.com. He inferred that Salesforce.com offered a false cloud.”Beware false clouds,” he advised. ”True cloud? False cloud? You decide.” This said in the wake of SalesForce.com leader Marc Benioff’s on-again/off-again attempts to stage an alternative keynote near Oracle Open World.
It is true that Salesforce.com’s cloud is largely proprietary. And, Oracle’s cloud as described has a healthy helping of Java and J EE middleware. But cloud architectures are such that it is difficult to judge how open, interoperable and portable a given cloud architecture is – at least at this stage.
Truth be told, Ellison’s and Benioff’s cloudy bickering looked especially silly as word emerged that personal computer and smart phone pioneer Steve Jobs had died.
We probably don’t have much to add to the parade of Jobs’ tributes that followed his passing, but let’s say this: He worked tirelessly to enhance people’s abilities and experiences using computers, broadening technology’s use far beyond the IT glass house that existed when he started out.
Even his failures fascinated. At NeXT Computer, Jobs went full-tilt forward on object computing. His period at NeXT – the period in exile from Apple – was something of a low-point for him, but out of it came a highly modular operating system that has subsequently enabled Apple to support a variety of hardware formats. He expected object computing to improve developer productivity. What do you think? Let us know. – Jack Vaughan
By Alan Earls – For his part, Scott Morrison, CTO at Layer7, a provider of API security and governance for service-oriented, Web-oriented and cloud-oriented integration, argues that OAuth is the most interesting thing happening in identity and access management services.
Morrison says a plus with OAuth is that it is a “good basic idea that sits well with modern developers.” On the other hand, because it is a pure, open standard, it lacks the discipline needed to ensure wide interoperabilty.” With much that remains undefined, Morrison says there is a tension between OAuth as a “quick, grassroots standard and the more rigorous requirements of a formal standard.” But OASYS is now working to formalize OAuth, which may yield positive results.
From his perspective, Morrison says that developers should be mindful of the huge role mobile devices are playing in driving identity management. “With mobile there has been a move toward specific, focused apps, most using RESTful-style protocols. Many of them find themselves depending on OAuth as a means of establishing identity to a remote server,” he says. That, in turn, is driving APIs to be more OAuth aware. “Mobile apps are really driving the whole API explosion,” he continues.
Another important issue to consider, says Morrison, is the increasing importance of multiple identities being established through mobile communications. For example, a mobile device may need to establish the identity of the app it is using and then (for activities requiring security) the identity of the individual user of the app. In other words, identity management can be a multiple layer challenge.
By Jack Vaughan
It wasn’t that very long ago when Oracle CEO Larry Ellison was denigrating the cloud – but, like others, he and his company now have a strong case of cloud fever.
The company has its own take on the new technology, heading just recently at cloud computing from the direction of software management. This week at Oracle Open World, the company addressed cloud governance issues with Oracle Enterprise Manager Cloud.
Oracle Enterprise Manager Cloud capabilities include: Cloud planning tools that allow architects and cloud administrators to model their cloud environment in order to optimize use of resources, as well as a capacity and consolidation planner that supports automated workflows.
When we spoke not long ago with Enterprise Architect Ramsay Millar, the discussion centered on the types of tools that you might utilize when pursuing a framework for SOA. Now we are quite pleased for Ramsay to appear as an author on SearchSOA.com.
In ”Learning about business architecture the hard way,” he takes a look at the role of business architecture in creating failures or, more positively, in promoting successful SOAs. Without business architecture, the best we may hope for is SOA silos, he writes. Business value has always been an area of discussion for the thoughtful IT leader, but business capabilities and business architectures seem to be discussed more and more these days by SOA thought leaders. What do you think? Let us know.