As Rebecca Dias mentions, my article ("Why WSE") covering the high-level reasons to use WS-Security has been published on MSDN.  It covers the provides benefits WSE provides, such as end-to-end message-level security, content-based routing, and policy through leveraging the WS-Security, WS-Addressing, and WS-Policy specifications. 

Let Rebecca know what you think of it.

If you want a longer article on the same material I'd recommend fellow-RD and web services enthusiast, William Tay's piece on Solving Real World Business Problems with Web Services Enhancements in .NET

Microsoft Research in Cambridge have released the WSE Policy Advisor for Microsoft Web Services Enhancements (WSE) 2.0.  The Policy Advisor is an an unsupported tool that acts as a security diagnosis tool for WSE2 policy files (think of it as an FxCop for web service security policy files).  It analyses the policy file for common security vulnerabilities, provides a description on the risk and remedial advice.  It can be launched as a stand alone application or from the policy tab of the WSE Settings Visual Studio add in.  If you are intersted in WSE 2.0 and Policy then  download the Policy Advisor and run it against the sample files that ship with WSE 2.0 and send the research team feedback.

I've been a fan of using policy files to secure web services with WSE for a long time.  As Clemens says, authoring a policy file by hand is pushing things too far.  In combination with the WSE Settings add-in the Policy Advisor provides a great service for anyone wanting to understand and apply policy files, without having to get too focused on the XML angle brackets. The help file contains a list of all the problems the Policy Advisor can detect and is an excellent learning resource if you want to learn about the purpose of many of the policy elements.  For example:

This policy accepts messages with unauthenticated or elements. (Alarm)
Risk: The message is authenticated, but authentication does not cover and . Those elements are often used to implement replay protection, and should thus be authenticated. Otherwise, an attacker may intercept a message and generate a series of slightly different messages that will be accepted as distinct, genuine messages from the original sender. (The risk may be mitigated if the transport provides integrity protection, or if the recipient implements replay protection using other authenticated elements.)
Advice: Insert wse:Timestamp() and wsp:Header(wsa:MessageID) in the element in the assertion.

It also has warnings about the evil that using unencrypted UsernameTokens, though I'd highlight Keith Brown's excellent MSDN article on Securing the Username Tokens with WSE 2.0 as the best source of guidance in this area.

Here's how the tool integrates with the WSE Settings Visual Studio addin:

Below is a screenshot of the report that the Policy Advisor produces, in this case it is reporting against the secure conversation sample that ships with WSE 2.0.  The top part of the window describes the report, the bottom tree view highlights all of the issues found and the relevant policy for each problem.

I came across this in the Windows Off Topic Mailing List, it's WinDirStat an open source Windows Directory disk usage statistics viewer for Windows, ported from the KDE KDirStat application.  I think it's a great demonstration of how good computer visualization can be in conveying information.  It's a UI that Edward Tufte might be proud of (though the 3D lighting effect in the treemap might qualify as Chart Junk, though you can turn it off).

Each rectangle represents a folder on the disk - the larger the rectangle the more space it is taking up.  The coloured areas within the rectangle represent files.  The rectangles are filled with colour based on their file type (the top 12 file types have individual colours, indicated in the top-right pane, after that the files are shown in grey).  Mousing over a rectangle displays the file name in the status bar.

The three views are also well integrated.  Clicking on a rectangle in the tree map at the bottom automatically expands the file system treeview to the file and the file type is highlighted in the right-hand pane.  Similarly clicking on the file type in the top-right hand pane highlights all of the files of that type in the tree map.

What I like so much about this is the number of questions I can answer in a short space of time, such as:

• What file types are taking up most of the space on my system?
• Where are the largest files on my disk located?
• Which folders are taking up the most space?
• Where are all of the zip files on my hard drive?

The image below shows the scan of my laptop tonight.  It's showing that my Documents and Settings folder is taking up almost half of my hard drive.  From the treemap and the file extension list on the top-right you can see that most of this is from JPEG files (12,000 digital photos from the last 4+ years), followed by DLLs (which highlighted that I had nearly a 1GB of space being taken up in a Recycler folder that I wasn't able to delete through the recyle bin or the explorer), zip files (VPC images) and bitmaps (scanned wedding photos).

Apologies for the off-topic rave, but I'm really impressed by the visual design and the practical usefulness of this tool.  It's helped me clear around 3GB of files that were just wasting space on my hard drive after 20 minutes of using this tool.

Seeing Google maps today helped me realise the power of the browser as a cross-platform development environment.  I believe that the combination of client side callbacks with DHTML and JavaScript dramatically reduce the need for Java Applets or ActiveX controls in web-based applications.

The problems usually levelled at browser-based applications are that they lack the responsiveness and rich interaction experience provided by traditional forms-based applications.   I think the Google apps (Google Suggest, GMail and now Google Maps) prove this point wrong.

I was in a discussion at work today where a colleague was arguing that any browser-based application requiring rich drag-and-drop and data entry grids would have to use ActiveX controls or Java applets.  However I think that developments over recent years in cross-browser support are showing that this kind of functionality can be achieved in the browser.

Here are some links that convinced me further:

• This amazing cross-browser JavaScript DHTML API, Drag & Drop for Images and Layers.  It's a 38KB file that supports drag and drop (including making the image semi-transparent while being dragged) and a whole range of other commands.
• The ability to retrieve new data into a web page without having to refresh described in this overview of the XML HTTP Request Object and its cross-browser support (all wrapped up nicely in ASP.NET 2.0's support for client side callbacks).  What makes me laugh is how this functionality was originally provided through the Microsoft XMLHTTP object from MSXML but Mozilla and Safari have copied it with an XMLHttpRequest object - who said that IE wasn't innovative?
• A range of commercial DHTML grids such as ActiveWidget's Grid 1.0, including this sample showing editing.

I can't wait to see more development around these technologies (I'd really love FreeTextBox to use client side callbacks to autosave my blog posts to save me from losing so many posts!).

As Christian Nagel notes the INETA Europe - UK and Ireland web page launched today, including the new INETA UK and Ireland Regional Speaker Bureau.  The Regional Speaker Bureau is a collection of technology experts and highly-rated speakers who are now available to present at regional User Group events.   If you’re in the UK or Ireland and would like to hear any of these people speak at your User Group then tell your User Group co-ordinator to contact me or let me know directly (benjaminm at benjaminm.net).

INETA already has a European Speakers Bureau, but to highlight the local talent and encourage more events we’ve established the INETA UK and Ireland Regional Speakers Bureau.  This group includes:

• Peter Blackburn – SQL Server MVP co-author of Hitchhiker's Guide to SQL Server 2000 Reporting Services, currently receiving a 5-star review on amazon.com
• Jonathan Greensted – ASP.NET MVP
• Ian Griffiths – C# MVP, Technical Author and an expert on Avalon
• Rob McDonald – Technical Author, internal trainer to Microsoft and founder of co-founder of DevTrain and highly-rated conference speaker.
• Benjamin Mitchell – Regional Director
• Graham Parker – VB.NET MVP and retiring chairman of VBUG

These speakers are on top of the three existing UK members of the INETA European Speaker Bureau:

• Alex Homer – ASP.NET MVP, Technical Author, Conference Presenter
• Richard Grimes – Visual C++ MVP, Technical Author, Conference Presenter
• David Sussman – ASP.NET MVP, Technical Author, Conference Presenter

This work is part of my role as the INETA User Group Liaison for the UK and Ireland which I’ve been doing since late last year.  My aim is to further improve the .NET Community in this corner of the world by ensuring the regional User Groups get access to great speakers for their meetings.  If you know of a great speaker who’s not on the list (we’re currently looking for MVPs, MCTs, Technical Authors or anyone with a proven track-record of great presentations), or you are interested in speaking at User Group events yourself, let me know.

Mark Fussell, the WSE Program Manager posts that since the MTOM specification has moved to a full recommendation it means that it can be implemented in WSE 3.0.  This is great as it means that we'll have a way of solving the problem of how to send binary data in an efficient, interoperable way that plays nicely with the other WS-* specs .

For anyone who wants to take the pulse of the UK .NET bloggers, James Crowley who runs the Developer Fusion site, has put together a page of aggregated UK Developer blogs, with an RSS feed as well.

Ian Cooper gave a presentation last night's London .NET User Group on Data Mapping Patterns in .NET.  He explained many of the patterns from Martin Fowler's book Patterns of Enterprise Application Architecture.  He started with the basic Transaction Script pattern through to the Table Model and finally the Domain Model.  Along the way he demoed the Data Access Application Block (which to my surprise, only half the audience admitted knowing about).

I enjoyed seeing many of these patterns shown in action using nHibernate.  I haven't looked at the ORM frameworks for a while and was pleased to see how far things have developed.  Ian recommended the book 'Hibernate in Aciton' by Christian Bauer and Gavin King as a good introduction.  You can read a sample chapter and a book review on theserverside.com.

Ian's main point was that you should look to use nHibernate or another existing ORM tool rather than writing your own (avoid the ORM Vietnam issue that Ted Neward mentions), but to be careful not to see ORM tools as a hammer that makes all problems look nails.

Graham Parker, the retiring VBUG Chairman, was on before Ian talking about Java and .NET Interoperability.  I missed the start of the session but there was lot of good discussion from the attendees.  A large number of people  were aware of the Mono project and it's recent developments such as support for ASP.NET, Windows.Forms and ADO.NET.  There was also discussion about how Source Forge Source Gear are using Mono for their Vault commercial product.

Max Kington chipped in from the floor with a number of good insights based on his experience with Java.  I had a good chat with him afterwards on a range of topics from grid computing, web services to his claim that '2005 is the year of the domain specific language'.

All up another good LDNUG event.  Ingo Rammer is going to speak at the next event on Wednesday 23 February!