The WS-* v REST debate rumbles along, one thing I have never understood is why when a new technology or language comes into play it suddenly has to answer all existing use cases? There are some use cases which are better suited to WS-* and some that are better suited to REST, there are even some where it makes sense to use both at different layers in the system. From a security standpoint REST has a ways to go to deal with the use cases that WS-* does, however one of my "real world" architectural rules of thumb is that "working code trumps all", and so REST gives a more efficient path to that and so you have cases where you may need interoperate becasue REST is already there and it did not require a bunch of infrastructure.
For example, how about a case of bridging a REST client that needs to speak through some app to get some data from a back end speaking SOAP/XML/WS-Secruity? WS-Trust can exchange the REST credentials for SAML assertions that may be used by the WS-Security message for access control by back end services.
Comments