RE: [provision] WS-CAF and the "Session Context Token"

["Raepple, Martin" <martin.raepple@sap.com>]

As far as I understood Gary's issue in [0], the main reason for
implementing a session context is to optimize the server-side
processing, what I take as managing the resources associated with each
session (requestor). A specification addressing this issue better than
WS-CAF might be found in the Web Services Resource Framework (WSRF).
Specified by the OASIS WSRF TC, the documents are currently under public
review. Besides the more general WS-Resource specification [1] which
defines the terminology of a resource, WS-ResourceLifetime [2] provides
the concrete life-cycle management mechanisms for stateful resources at
the server (provider) side. It basically defines the interface for
managing a stateful resource and uses the Endpoint Reference defined by
WS-Addressing [3] in order to identify a certain instance of a Web
Service using a server-generated ID embedded as a Reference Property.
Since we currently identified the need for proper resource management
only in the context of the search capability, WSRF may be an overkill.
Further requirements like auditing basically require some way to
correlate a number of messages in the context of a session. This may
also be solved using WS-Addressing that defines metadata elements for
SOAP messages like a <MessageID> which could be used for message
correlation.
Regarding the spec, I would follow Gary's alternative B but we may add a
section on session management (as we already did for resource
management) with some advise regarding these standards and their support
in the respective domain.

[0]
http://www.oasis-open.org/apps/org/workgroup/provision/email/archives/20
0506/msg00065.html
[1] http://docs.oasis-open.org/wsrf/wsrf-ws_resource-1.2-spec-pr-01.pdf
[2]
http://docs.oasis-open.org/wsrf/wsrf-ws_resource_lifetime-1.2-spec-pr-01
.pdf
[3] http://ifr.sap.com/ws-addressing/WS-Addressing.pdf

-----Original Message-----
From: Gary P Cole [mailto:Gary.P.Cole@Sun.COM] 
Sent: Dienstag, 12. Juli 2005 00:04
To: provision@lists.oasis-open.org
Subject: Re: [provision] WS-CAF and the "Session Context Token"

Doesn't sound like we can in the short term defer to any other standard 
(including WS-CAF). Furthermore, these sound like overkill (since we are

not talking about composite applications).

So, we can:
A) Formalize with a less objectionable name (such as "operational
context")
the notion of an opaque context that the provider returns
and that the requestor may pass on subsequent requests
to improve performance.
B) Ignore it (and let each implementation roll its own "operational 
context").

prateek mishra wrote:

> As part of a discussion that began with message:
>
http://www.oasis-open.org/apps/org/workgroup/provision/email/archives/20
0506/msg00065.html
> I had taken an action to investigate the proposed work in the WS-CAF 
> TC to see this effort would meet these requirements.
> The WS-CAF involves the development of a family of specifications that

> " define a generic and open framework for applications that contain 
> multiple services used in combination (composite applications)." Three

> specifications are planned: WS-Context, WS-Coordination and a third to

> be named later.
> The WS-Context specification is of particular interest. It provides "a

> definition, a structuring mechanism, and service definitions for 
> organizing and sharing context across multiple execution endpoints." 
> Context may include a range of information but always include
>
> "A mandatory wsctx:contextIdentifierType called 
> wsctx:context-identifier. This identifier can be thought of as a 
> "correlation" identifier or a value that is used to indicate that a 
> Web service is part of the same activity. The 
> wsctx:contextIdentifierType is a URI with an optional wsu:Id 
> attribute. It MUST be unique."
> While the specification is pretty general, it also states that "where 
> messages (either application messages, or WS-Context protocol messages

> themselves) require contextualization, the context is transported in a

> SOAP header block".
> I couldn't see a proposed date for OASIS standardization for 
> WS-Context. A recent draft has been published and is being worked on 
> (also discussion of interop). My guess would be that it would be an 
> OASIS standard by end-of-year.
> SUMMARY:
> The WS-Context specification appears to provide a solution to some of 
> the requirements described in Gary's message. However, the term 
> "Session Context" is absent from WS-Context so maybe there are some 
> requirements (e.g., session time-out?) that are not captured there.
> My own suggestion in that space is that concepts like sessioning and 
> time-outs should definitely be left to the security layer (distinct 
> from both WS-CAF and SPML) and I question whether the PSTC should 
> provide any additional support for it within SPML. Unfortunately, a 
> general purpose sessioning model for messages is not yet under 
> development by a standards body. There is a draft produced by a group 
> of vendors called WS-SecureConversation but I have no idea when it 
> will move to a standards group.
> REFERENCES
> ---------------------
> 1. OASIS WS-CAF TC Web Page
> http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=ws-caf
> 2. WS-Context, draft version 0.9.2, July 2005
> http://www.oasis-open.org/committees/download.php/13329/WS-Context.zip



---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  You may a link to this group and all your TCs in
OASIS
at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php