10/23/2004

Web Service Programming using XML and Java Technology

TM

Sang Shin
sang.shin@sun.com www.javapassion.com Java Technology Evangelist Sun Microsystems, Inc.
1 2

Courses I teach
? ?

XML (2001) Distributed programming using Jini and JavaSpaces technology (2002) Web services programming using XML and Java technology (on-going) ? www.javapassion.com/webservices Free "online" J2EE programming (on-going) ? www.javapassion.com/j2ee Free Advanced J2EE programming ? www.javapassion.com/j2eeadvanced
TM TM TM TM

Presentation of this talk is available from

www.javapassion.com

10/23/2004

Agenda
?

Part I
? ?

Web Services Overview Core Web Services Standards: SOAP, WSDL, UDDI Web Services Development using Java Technology Web Services Security Web Services Interoperability and WS-I ebXML & UBL Ongoing Web Services Activities

Par II
?

Part III
? ?

Part I: Web Services Overview & Core Web Services Standards

5 6

Part IV
? ?

Web Services Definition by W3C

What is & Why Web Services?

7

A Web service is a software application identified by a URI, whose interfaces and binding are capable of being defined, described and discovered by XML artifacts and supports direct interactions with other software applications using XML based messages via internet-based protocols
8

10/23/2004

Traditional C/S vs. Web Services

Traditional C/S

Web Service

Within enterprise Tied to a set of programming languages Procedural Usually bound to a particular transport Tightly-coupled Efficient processing (space/time)

Between enterprises Program language independent Message-driven Easily bound to different transports Loosely-coupled Relatively not efficient processing

10

Web Application vs. Web Services

Web Application

Impact of Web Services on Software: Application Dis-Integration

Web Services Monolithic Software
Application System Software A Computer
System Service System Service System Service App Service App Service App Service

Web Service

User-to-program interaction Static integration of components Monolithic service

Program-to-program interaction Possibility of dynamic integration of components (in the future) Possibility of service aggregation (in the future)

The Network 11 12

10/23/2004

Impact on Integration: Trigger the Network Effect

Custom Integration

Web Services

Where is Web Services?

13 14

Metcalfes Law: The value of the network is proportional to the square of the number of

State of Web Services

Web Services Adoption Phases

?

Technology/Standards are still evolving

SOAP, WSDL, UDDI are not enough

1st Phase Simple Web Services (Now)

?

Business web services is the next big thing, but more works are needed in

Consumer-focused, stateless, SOAP over HTTP/S Deployed within organization boundaries to enable internal integration Deployed on extranets to enable business transactions with trading partners, suppliers, and customers, ebXML & UBL
16

2 Phase EAI Web Services (Begun)

?

nd

Quality of Service, Management, Metering Security, transaction, reliability Work flow, Identity management, Provisioning, Accounting and billing Performance, scalability, availability
15

3rd Phase Business Web Services (2004?)

?

Web services will be adopted in phases

10/23/2004

What is SOAP?

SOAP (Simple Object Access Protocol)

17

Simple Object Access Protocol Wire protocol similar to

IIOP for CORBA JRMP for RMI text based protocol vs. binary protocol

XML is used for data encoding

Supports XML-based RPC

18

What SOAP is Not

What does SOAP Define?

Not a component model

So it will not replace objects and components, i.e. EJB, JavaBeans So it will not replace Java So it will not replace other distributed computing technologies such as RMI
19

Not a programming language

Message Envelope Encoding Rules RPC Convention Binding with underlying protocols

Not a solution for all

20

10/23/2004

SOAP Message Format

SOAP Message Primary MIME part (text/xml) SOAP Envelope SOAP Header Header Entry Header Entry Attachment Attachment SOAP Body Body Entry Body Entry

SOAP Message Envelope

Encoding information Header

Optional Could contain context knowledge

Security Transaction

Body

Attachment

RPC methods and parameters Contains application data

22

21

SOAP Encoding
Rules of expressing application-defined data types in XML Based on W3C XML Schema Simple values
Built-in types from XML Schema, Part 2 (simple types, enumerations, arrays of bytes)

SOAP RPC Request Example

<SOAP-ENV:Envelope xmlns:SOAP-ENV="" SOAP-ENV:encodingStyle=""> <SOAP-ENV:Header> <!-- Optional context information --> </SOAP-ENV:Header> <SOAP-ENV:Body> <m:GetLastTradePrice xmlns:m=some_URI"> <tickerSymbol>SUNW</tickerSymbol> </m:GetLastTradePrice> </SOAP-ENV:Body> </SOAP-ENV:Envelope>

Compound values
Structs, arrays, complex types
23

24

10/23/2004

SOAP RPC Response Example

<SOAP-ENV:Envelope xmlns:SOAP-ENV="" SOAP-ENV:encodingStyle=""> <SOAP-ENV:Header> <!-- Optional context information --> </SOAP-ENV:Header> <SOAP-ENV:Body> <m:GetLastTradePriceResponse xmlns:m=some_URI"> <price>30.5</price> </m:GetLastTradePriceResponse> </SOAP-ENV:Body> </SOAP-ENV:Envelope>

SOAP RPC

Information needed for a method call:

The URI of the target object

<SOAP-ENV:Body> <m:GetLastTradePrice xmlns:m=http://stocks.com/StockQuotes"> <tickerSymbol>SUNW</tickerSymbol> </m:GetLastTradePrice> </SOAP-ENV:Body>

25

26

SOAP RPC

SOAP RPC

Information needed for a method call:

The URI of the target object Method name

<SOAP-ENV:Body> <m:GetLastTradePrice xmlns:m=http://stocks.com/StockQuotes"> <tickerSymbol>SUNW</tickerSymbol> </m:GetLastTradePrice> </SOAP-ENV:Body>

Information needed for a method call:

The URI of the target object Method name Parameters

<SOAP-ENV:Body> <m:GetLastTradePrice xmlns:m=http://stocks.com/StockQuotes"> <tickerSymbol>SUNW</tickerSymbol> </m:GetLastTradePrice> </SOAP-ENV:Body>

27

28

10/23/2004

What is WSDL?
XML language for describing web services Web service is described as
A set of communication endpoints (ports)

Endpoint is made of two parts

Quick WSDL Tutorial

29

Abstract definitions of operations and messages Concrete binding to networking protocol (and corresponding endpoint address) and message format

Why this separation?

Enhance reusability (as we will see in UDDI reference to WSDL document)
30

Why WSDL?
Enables automation of communication details between communicating partners
Machines can read WSDL Machines can invoke a service defined in WSDL

WSDL Document Example

? ?

Simple service providing stock quotes A single operation called GetLastTradePrice Deployed using SOAP 1.1 over HTTP Request takes a ticker symbol of type string Response returns price as a float
32

Discoverable through registry Arbitration

3rd party can verify if communication conforms to WSDL
31

? ?

10/23/2004

WSDL Elements

WSDL Elements

Types Message Operation Port Type Binding Port Service

33

Types

Data type definitions Used to describe exchanged messages Uses W3C XML Schema as canonical type system

34

WSDL Example: Types

<definitions name="StockQuote" targetNamespace="http://example.com/stockquote.wsdl" xmlns:tns="http://example.com/stockquote.wsdl" xmlns:xsd1="http://example.com/stockquote.xsd" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns="http://schemas.xmlsoap.org/wsdl/> <types> <schema targetNamespace="http://example.com/stockquote.xsd" xmlns="http://www.w3.org/2000/10/XMLSchema"> <element name="TradePriceRequest"> <complexType> <all> <element name=tickerSymbol" type="string"/> </all> </complexType> </element> <element name="TradePrice"> <complexType> <all> <element name="price" type="float"/> </all> </complexType> </element> </schema> </types>

WSDL Elements

Messages

Abstract, typed definitions of data being exchanged Abstract description of an action Refers to an input and/or output messages Collection of operations Abstract definition of a service
36

Operations

Port type

35

10/23/2004

Example: Messages, Operation, Port type

<message name="GetLastTradePriceInput"> <part name="body" element="xsd1:TradePriceRequest" /> </message> <message name="GetLastTradePriceOutput"> <part name="body" element="xsd1:TradePrice" /> </message> <portType name="StockQuotePortType"> <operation name="GetLastTradePrice"> <input message="tns:GetLastTradePriceInput" /> <output message="tns:GetLastTradePriceOutput"/> </operation> <!-- More operations --> 37 </portType>

WSDL Elements

Binding

Concrete protocol and data format for a particular Port type Protocol example: SOAP 1.1 over HTTP or SOAP 1.1 over SMTP Defines a single communication endpoint Endpoint address for binding URL for HTTP, email address for SMTP Aggregate set of related ports
38

Port

Service

Example: Binding, Port, Service

<binding name="StockQuoteSoapBinding" type="tns:StockQuotePortType"> <soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/> <operation name="GetLastTradePrice" > <soap:operation soapAction="http://example.com/GetLastTradePrice"/> <input> <soap:body use="literal" /> </input> <output> <soap:body use="literal" /> </output> </operation> </binding> <service name="StockQuoteService"> <documentation>My first service</documentation> <port name="StockQuotePort" binding="tns:StockQuoteBinding"> <soap:address location="http://example.com/stockquote " / > </port> </service>

UDDI

39

40

10/23/2004

Service Architecture
UDDI Registry
1. Service Registers PUBLISH 2. Client Request Service Location FIND

Business Registry Components:

White Pages

Web Service

3. Client calls Service BIND

Service Client

Yellow Pages

Information about the business (address, contacts,...) Categorization of the business and its services Technical information about how to invoke a service
42

UDDI defines a way to publish and find information about Web services.
41

Green Pages

UDDI Data Types

BusinessEntity
BusinessService BindingTemplate BindingTemplate Tmodel Tmodel 43

Business Entity

White Pages information Yellow Pages information Green Pages information Contains references to tModels

BusinessEntity

Business Services

Binding Templates

tModels

Service Type Definitions Contains references to WSDL documents

Top-level data structure that holds descriptive information about a business entity Service descriptions and technical information are expressed within a businessEntity

businessEntity
businessKey name URL description contacts businessServices identifierBag categoryBag

Contact Contact Phone Phone Address Address E-mail Email

businessService businessService serviceKey Name Description BindingTemplates

keyedReference keyedReference tModelKey tModelKey keyName keyName keyValue keyValue

keyedReference keyedReference tModelKey tModelKey keyName keyName keyValue keyValue

44

10/23/2004

BusinessService

BindingTemplate

<businessService businessKey="..." Represents the serviceKey="..."> business services <name>StockQuoteService</name> provided by the <description> (...) </description> businessEntity <bindingTemplates> (...) Unique key used <bindingTemplate> to represent a (...) service <accessPoint urlType="http"> http://example.com/stockquote Name of the </accessPoint> service <tModelnstanceDetails> Contains <tModelnstanceInfo BindingTemplate tModelKey="..."> </tModelnstanceInfo> structures <tModelnstanceDetails> </bindingTemplate> </bindingTemplates> </businessService>

Specifies Network endpoint address Contains a reference to a tModel

45

<businessService businessKey="..." serviceKey="..."> <name>StockQuoteService</name> <description> (...) </description> <bindingTemplates> (...) <bindingTemplate> (...) <accessPoint urlType="http"> http://example.com/stockquote </accessPoint> <tModelnstanceDetails> <tModelnstanceInfo tModelKey="..."> </tModelnstanceInfo> <tModelnstanceDetails> </bindingTemplate> 46 </bindingTemplates> </businessService>

tModel

tModel Example
<tModel authorizedName="..." operator="..." tModelKey="..."> <name>StockQuote Service</name> <description xml:lang="en"> WSDL description of a standard stock quote service interface </description> <overviewDoc> <description xml:lang="en"> WSDL source document. </description> <overviewURL> http://stockquote-definitions/stq.wsdl </overviewURL> </overviewDoc> <categoryBag> <keyedReference tModelKey="UUID:..." keyName="uddi-org:types" keyValue="wsdlSpec"/> </categoryBag> </tModel>

Service type definition Is expected to be created by industry consortium

Business entities create businessEntity's, businessServices, and bindingTemplates

Shared by business entities Has a reference to WSDL document Enables quick search of all business entities which supports a particular service Contains CategoryBag
47

48

10/23/2004

Publishing Services

Publishers interface Save things save_business save_service save_binding save_tModel Delete things delete_business delete_service delete_binding delete_tModel security get_authToken discard_authToken

4 messages to save each of the 4 structures

Programmer's API: Service Discovery

Each save message accepts as input the authToken and one or more corresponding structures.

Inquiry interface

Find things

4 messages to delete each of the 4 core structures

Find_business Find_service find_binding find_tModel

Browse

4 messages to find each of the 4 structures The get call can be used to get information regarding a specific instance of any of the 4 data types, given the key

They all accept the corresponding uuid key as the parameter. request an authentication token inform registry that the authToken is no longer valid.

Get details

Drill-down

Security:

Get_businessDetail get_serviceDetail get_bindingDetail Get_tModelDetail validate_categorization

Taxonomy interface

49

50

UDDI Runs Over SOAP

User
UDDI SOAP Request UDDI SOAP Response

SOAP Message Example for get_serviceDetail request

<Envelope> <Body> <get_serviceDetail generic="1.0"> <serviceKey>6FD77EF6-E7D6-6FF6-1E41-EBC80107D7B5 </serviceKey> </get_serviceDetail> </Body> </Envelope>

UDDI Registry Node

HTT Serve P r SOA Processo P r

UDDI Registry Service

Create, View, Update, and registration Delete s

B2B Directory

Platform-neutral

51

52

10/23/2004

SOAP Message Example for get_serviceDetail response

<Envelope> <Body> <serviceDetail generic="1.0" operator="XMethods"> <businessService serviceKey="6FD77EF6-E7D6-6FF6-1E41-EBC80107D7B5" businessKey="D1387DB1-CA06-24F8-46C4-86B5D895CA26"> <name>Currency Exchange Rate</name> <description>Endpoint for service</description> <description>IMPLEMENTATION: glue</description> <description>CONTACT EMAIL: support@xmethods.net</description> <bindingTemplates> <bindingTemplate bindingKey="0036DEBC-2F1B-EB84-09E2-3A4332C3E8B4" serviceKey="6FD77EF6-E7D6-6FF6-1E41-EBC80107D7B5"> <description>SOAP binding</description> <accessPoint URLType="http">http://services.xmethods.net:80/soap</accessPoint> <tModelInstanceDetails> <tModelInstanceInfo tModelKey="uuid:D784C184-99B2-DA25-ED453665D11A12E5"/> </tModelInstanceDetails> </bindingTemplate> </bindingTemplates> </businessService> </serviceDetail> </Body> </Envelope>

Demo
UDDI Browser in soapclient.com
54

53

UDDI Browser in www.soapclient.com

Search for a business via Business Name

55

56

10/23/2004

UDDI Browser in www.soapclient.com

Business Entity

57

58

List of Services

A particular Service

59

60

10/23/2004

Binding Template

tModel

61

62

WSDL document of the service

UDDI over SOAP Request

63

64

10/23/2004

UDDI over SOAP Message

Execute a service (Delayed stock quote)

65

66

Execute a service (Delayed stock quote)

Result of delayed stock quote service Execution

67

68

10/23/2004

Demo
Accessing Amazon.com through a Web service
69

Demo Scenario

Accessing Amazon.com Web service in real-time through a browser Accessing Amazon.com Web service in real-time using Swing application, which uses Sun Java Studio generated stub library

70

Demo Scenario

Browser
Web services client

HTML/HTTP

Amazon.com
XML/SOAP

Part II: Web Services Development using Java Technology

71 72

10/23/2004

Java APIs for SOAP, WSDL, UDDI

SOAP Messaging

JAXM (JSR 67), SAAJ, JAX-RPC (JSR 101), JMS

Java APIs for Web Services

73

WSDL

Java API for WSDL (JSR 110) JAX-RPC (JSR 101)

UDDI

JAXR (JSR 67)

74

J2EE Web Services Framework

J2EE 1.4 (JSR 151) Web services for J2EE (JSR 109) JAX-RPC (JSR 101) JAXR SAAJ EJB 2.1
75

Java APIs for XML Document Management

JAXP (Java API for XML processing, JSR 05)

Assembly language for XML document processing Higher level language for XML document processing Pull-parsing API based on Iterator Gives parsing control to programmers
76

JAXB (Java API for XML data-binding, JSR 31)

Streaming API for XML (JSR 173)

10/23/2004

Java APIs for XML Security

More Java APIs for Web Services

XML Digital Signature (JSR 105) XML Encryption (JSR 106) XML Trust Service (JSR 104) Secure Assertion Markup Language (SAML, JSR 155) WS-Security (JSR 183)
77

XML Transactioning API for Java (JSR 156)

Java API for OASIS BTP SOAP messaging for J2ME devices Metadata based Web services Foundation for Service-Oriented-Architecture (SOA)
78

Web Services for J2ME (JSR 172)

Web Services Metadata for J2EE (JSR 181)

Java Business Integration (JSR 208)

What Is a J2EE Web Service?

? ?

Web Services Support in J2EE

79

A set of endpoints (ports) operating on messages Ports are operating within a container

Container provides runtime environment Contract for runtime environment are specified in JAX-RPC, EJB 2.1, JSR 109

Service is described abstractly in WSDL document and published to a registry

WSDL specifies a contract between service provider and client

80

10/23/2004

Web Service Component and Container

Web Service Components

Web services components

Container vs. Component model

Web services components get executed within a container Container provides host execution environment Components are portable

Web service component is 1st-class J2EE component along with JSP, Servlet, EJB components in J2EE 1.4

81

Source: Web Services for J2EE (JSR 109), V1.0

82

Web Service Container

?

Provides
?

Web Services Endpoint Architecture

? ?

Life cycle management of web service components Provides a listener for WSDP port address Listerner then dispatches client requests to web services components Runtime services: Security services Web container for Servlet-based endpoint EJB container for EJB-based endpoint
83 84

Will use existing containers

? ?

10/23/2004

Web Services for the J2EE 1.4 Platform

J2EE 1.4 Web Services Framework

Client View

JAX-RPC Servlet based endpoint (port)

J2EE 1.4 is an umbrella framework for Web services

Server View

Web services for J2EE (JSR 109) JAX-RPC SAAJ JAXR EJB 2.1 Connector architecture 1.5
86

JAX-RPC Runtime is provided by Web container EJB 2.1 Runtime is provided by EJB container 85

Stateless Session Bean based endpoint (port)

Web Services for J2EE (JSR 109)

?

JAX-RPC

Addresses overall Web services architecture over J2EE

Servlet-based Web service endpoint model XML data types to/from Java types mapping WSDL to/from Java mapping JAX-RPC Client Programming Models SOAP Message Handler framework Extensible type mapping

Client model

based on JAX-RPC based on JAX-RPC and EJB 2.1

Server programming model

Deployment descriptor and packaging WSDL binding Security

87

We will talk about the above in detail later on!

88

Incorporates JAX-RPC, EJB 2.1

10/23/2004

JAX-RPC Architecture Diagram

JAX-RPC Client Generated Code Container
Client-side JAX-RPC Runtime System

SAAJ

WSDL Document
JavaWSDL WSDL Java

JAX-RPC Service Endpoint

Handles low-level SOAP message handling

Container

Contains the API for creating and populating a SOAP messages conforming to SOAP 1.1 and SOAP with Attachment specifications Used by high-level APIs (such as JAX-RPC runtime)

Server-side JAX-RPC Runtime System

Contains API necessary for sending requestresponse (non-provider-model) messages Separated out from JAXM 1.0 into JAXM 1.1 and SAAJ 1.1
90

SOAP HTTP

89

Web Services Support in EJB 2.1

JAXR

Defines Stateless Session Bean-based Web services endpoint model

Stateless session bean can be web services implementation Web services endpoint interface (service definition interface) for Stateless session bean Can implement SOAP Message Handlers for Stateless session bean based endpoint

Standard Java API for performing registry operations over diverse set of registries

Web service publication & discovery

A unified information model for describing business registry content Provides multi-layered API abstractions

91

Level 0: for UDDI Level 1: for ebXML registry/repository

92

10/23/2004

Message-Driven Beans (EJB 2.1)

Message-driven bean (MDB) contracts are extended to support additional messaging types (e.g., JAXM) in addition to JMS

JMS MDB implements javax.jms.MessageListener JAXM MDB implements either javax.xml.messaging.One-wayListener or javax.xml.messaging.ReqRespListener

Web Service Development Steps Over J2EE

94

93

Steps for Development and Deployment of Web Services:

I. Define a Web service II. Implement the Web service III. Produce deployment ready package IV. Deploy package over J2EE platform V. Publish the Web service and binding information to a service registry
95

I. Defining a Web Service

Web service is defined in

WSDL or Web service endpoint interface (Java interface) WSDL is created (or found) first before its implementation

Top-down

Bottom-up

VI. Serve service requests from client

WSDL gets generated from existing J2EE components

96

10/23/2004

Service Endpoint Interface

A Java interface type as specified in JAX-RPC

Example: Service Endpoint Interface

public interface StockQuoteProvider extends java.rmi.Remote { public float getLastTradePrice(String tickerSymbol) throws java.rmi.RemoteException; ... }

Extends java.rmi.Remote

Needed for both servlet-based and stateless session bean based endpoint Could be generated from WSDL Declared in Web service deployment descriptor
97

98

II. Implement Web Service

1. Choose implementation form

Java class (for servlet-based endpoint) Stateless session bean Deployment tools generate needed artifacts for runtime Container delegates invocations on service endpoint to either Java class or session bean instance
99

Example Implementation: Java Class for Servlet-based Endpoint

public class StockQuoteProviderImpl implements StockQuoteProvider { public float getLastTradePrice(String tickerSymbol) throws java.rmi.RemoteException{ // business logic for method } }

2. Implement business logic for methods

3. Create deployment descriptor

100

10/23/2004

Example Implementation: Stateless Session Bean Class

public class StockQuoteProviderBean implements javax.ejb.SessionBean { ... public float getLastTradePrice(String tickerSymbol) throws java.rmi.RemoteException{ // business logic for method } ... }

III. Create Deploy'able package

?

Ready-to-deploy'able package

WAR file (servlet-based) EJB-JAR file (stateless session bean based) Package structure Web Services Deployment descriptor

Standardization for portability

101

102

Design Goals J2EE 1.4 Web Services Framework

?

Package Contains
? ? ? ?

Portability of Web services component

Over different vendor platform Over different operational environment

Leveraging existing J2EE programming models for service implementation Easy to program and deploy

WSDL document Service endpoint interface Service implementation Web Services Deployment descriptor

High-level Java APIs Use existing deployment model

103 104

10/23/2004

Web Services Deployment Descriptor

IV. Deploy Package

webservices.xml
<webservices> <webservice-description> <webservice-description-name>JoesServices </webservice-description-name> <wsdl-file>META-INF/joe.wsdl</wsdl-file> <jaxrpc-mapping-file>META-INF/joes_mappings.xml </jaxrpc-mapping-file> <port-component> <port-component-name>JoePort</port-component-name> <service-impl-bean> <ejb-link>JoeEJB</ejb-link> </service-impl-bean> </port-component> </webservice-description> </webservices>

Responsibility of Container (or deployment tool)

Validation of the package Creation of runtime artifacts Configuration of the servers SOAP request listeners for each port (binding to a port) Generation of concrete WSDL document Publication of Web services
106

105

Example: Mapping of WSDL portType to Service Definition Interface

<!------------------- WSDL Document -------------------------------------> <message name=GetLastTradePriceInput> <part name=tickerSymbol type=xsd:string/> </message> <message name=GetLastTradePriceOutput? <part name=result type=xsd:float/> </message> <portType name=StockQuoteProvider> <operation name=GetLastTradePrice parameterOrder=tickerSymbol> <input message=tns:GetLastTradePriceInput/> <output message=tns:GetLastTradePriceOutput/> </operation> </portType> ///////////////////////////// Java Interface ////////////////////////////////////////////////////// public interface StockQuoteProvider extends java.rmi.Remote { float getLastTradePrice (String tickerSymbol ) throws java.rmi.RemoteException; }

WSDL to/from Java Mapping

107

108

10/23/2004

JAX-RPC Relationship to WSDL WSDL JAX-RPC describes a Web Service as a

collection of remote interfaces and methods
Tools are used to convert between WSDL documents and sets of Java remote interfaces

Demo
Building a Web Service using Sun Java Studio IDE
109 110

WSDL describes a Web Service as a collection of ports and operations

Demo Scenario

Exposing methods of a Java class as a Web service using Sun ONE Studio 5 (Bottom-up approach) Packaging and deploying a Web service at Web-tier over Sun ONE App server using Sun ONE Studio 5 Testing the Web service through a browser using automatically generated JSP pages and custom tags
111

SOAP Message Handler

112

10/23/2004

SOAP Message Handlers

SOAP Message Handlers

Handlers let you access/modify SOAP request and response messages

Pluggable and chainable

Typically used to process service contexts in SOAP header blocks Can be used to extend functionality of Web services runtime system
?

Through standardized programming API Portable across implementations JAX-RPC runtime system calls init(), destroy() of a handler

Has its own life-cycle

J2EE containers (which provide Web services runtime) are likely to use them internally to provide session/transaction propagation

Example handlers:

encryption, decryption, authentication, authorization, logging, auditing, caching

Handler instances can be pooled MessageContext is used to share properties among handlers in a handler chain
114

113

SOAP Message Handlers

Example SOAP Message Handler

package com.example; public class MySOAPMessageHandler implements javax.xml.rpc.handler.Handler { public MySOAPMessageHandler() { ... } public boolean handleRequest(MessageContext context, HandlerChain chain){ try { SOAPMessageContext smc = (SOAPMessageContext)context; SOAPMessage msg = smc.getMessage(); SOAPPart sp = msg.getSOAPPart(); SOAPEnvelope se = sp.getEnvelope(); SOAPHeader sh = se.getHeader(); // Process one or more header blocks // ... // Next step based on the processing model for this handler } catch(Exception ex) { // throw exception } } // Other methods: handleResponse(), handleFault(), init(), destroy() }

SOAP Message <Request>

Handler Chain
Handler #2 Service Endpoint (Port)

Handler #1

SOAP Message <Response>

115

116

10/23/2004

Demo Scenario

Demo
Build & Deploy a chain of Server side SOAP Message Handlers
117

Write SOAP message handler codes

Dump intercepted SOAP messages

Using Sun ONE Studio 5, configure and redeploy a Web service with a chain of SOAP message handlers Run any client to access the redeployed Web service and see the dumped SOAP messages
118

Session Management

Session Management

JAX-RPC runtime system manages session

Service client or service developer do not have to deal with session management

Supported Session management schemes over HTTP

Cookie-based URL rewriting

SOAP Header-based session management scheme in the future

120

119

10/23/2004

Demo Scenario

Demo
Session Management
121

Perform a series of Web services calls through which a session state is maintained

122

Web Services Client View

Web Service Client Development Steps Over J2EE

123

Independent of how an XML based RPC service (service endpoint) is implemented on the server side Generates a Java based client side representation for a service from WSDL document Must not be exposed or tied to a specific XML based protocol, transport or any implementation specific mechanism Can be standalone app, Web-tier components, EJB beans

124

10/23/2004

WSDL View of a Web Service

WSDL Document
Service A
Port "Foo" Http://.../foo

Web Services Client View

Abstract part of WSDL document (PortType) is represented by Service Endpoint Interface

Binding "FooB"

Container provides actual implementations of Service Endpoint Interface

SOAP/HTTP
Port Type "FooPT"
Operation "Op1"

Stub or dynamic proxy

Port "Bar" Port "Xyz"

Service B

Concrete part of WSDL document (Service, Port) is represented by Service Interface

Operation "Op2"

Container provides actual implementation of Service interface

Port ...

Service object

125

Service object is a factory class for stub or dynamic proxy 126

Web Services Client Architecture

Dev. Steps for Web Service Client

1.Discover WSDL description of service 2.Identify service provider endpoint address 3.Get client-side Web services code artifacts (i.e. stub or dynamic proxy)

Container
Service Endpoint Interface Service Interface

Client

Port

Code artifacts are generated by container (or deployment tool)

127

4.Send messages to endpoints that provide service implementation (through stub or dynamic proxy) 5.Receive back messages that contain results

128

10/23/2004

Example: Web service Client

Public class InvestmentBean implements SessionBean{ public void checkPortfolio(...) { // Get Service object through JNDI InitialContext ctx = new InitialContext(); StockQuoteService sqs = (StockQuoteService) ctx.lookup( "java:comp/env/service/StockQuoteService"); // Get stub or dynamic proxy object from // Service object which functions as a factory StockQuoteProvider sqp = sqs.getStockQuoteProviderPort(); // Invoke a method to Web service float quotePrice = sqp.getLastTradePrice(...); ... } }

JAX-RPC Client Programming Models

130

129

Client Programming Models

Stub-based Invocation Model

Stub-based (least dynamic)

Both interface (WSDL) and implementaion (stub) created at compile time Interface (WSDL) created at compile time Implementation (dynamic proxy) created at runtime Both interface (WSDL) and implementaion created at runtime
131

Dynamic proxy

Dynamic invocation interface (DII)

Stub class gets generated at compile time All needed value classes are also generated Instantiated using vendor-generated Service implementation class Stub class is bound to a specific XML protocol (i.e. SOAP) and transport (i.e. HTTP) Best performance Stub class implements

javax.xml.rpc.Stub interface Web service definition interface

132

10/23/2004

Stub Class Hierarchy

<<interface>> javax.xml.rpc.Stub <<interface>> com.example.stockQuoteProvider

Dynamic Proxy-based Invocation Model

com.example.StockServiceSoapBinding_Stub

<<package>> javax.xml.rpc

<<package>> com.<<vendor>>.xml.rpc 133

Dynamic proxy is generated on the fly by JAX-RPC client runtime Application provides the Web service definition interface the dynamic proxy conforms to during runtime Easiest to program but slower than stub-based
- implementation object created and casted
134

Example: Dynamic Proxy Client

package proxy; import java.net.URL; import javax.xml.rpc.Service; import javax.xml.rpc.JAXRPCException; import javax.xml.namespace.QName; import javax.xml.rpc.ServiceFactory; public class HelloClient { public static void main(String[] args) { try { String UrlString = "http://localhost:8080/ProxyHelloWorld.wsdl"; String nameSpaceUri = "http://proxy.org/wsdl"; String serviceName = "HelloWorld"; String portName = "HelloIFPort"; URL helloWsdlUrl = new URL(UrlString); ServiceFactory serviceFactory = ServiceFactory.newInstance(); Service helloService = serviceFactory.createService(helloWsdlUrl, new QName(nameSpaceUri, serviceName)); HelloIF myProxy = (HelloIF) helloService.getPort(new QName(nameSpaceUri, portName), proxy.HelloIF.class); System.out.println(myProxy.sayHello("Buzz")); } catch (Exception ex) { ex.printStackTrace(); } } }

DII Invocation Model

Gives complete control to client programmer Most dynamic but complex programming Enables broker model

Client finds (through some search criteria) and invokes a service during runtime through a broker Used when service definition interface is not known until runtime You set operation and parameters during runtime
136

135

Has to create Call object first

10/23/2004

Example: DII Client

package dynamic; import javax.xml.rpc.Call; import javax.xml.rpc.Service; import javax.xml.rpc.JAXRPCException; import javax.xml.namespace.QName; import javax.xml.rpc.ServiceFactory; import javax.xml.rpc.ParameterMode; public class HelloClient { private static String endpoint = "http://localhost:8080/dynamic-jaxrpc/dynamic"; private static String qnameService = "Hello"; private static String qnamePort = "HelloIF"; private static String BODY_NAMESPACE_VALUE = "http://dynamic.org/wsdl"; private static String ENCODING_STYLE_PROPERTY = "javax.xml.rpc.encodingstyle.namespace.uri"; private static String NS_XSD = "http://www.w3.org/2001/XMLSchema"; private static String URI_ENCODING = "http://schemas.xmlsoap.org/soap/encoding/";

Example: DII Client

public static void main(String[] args) { try { ServiceFactory factory = ServiceFactory.newInstance(); Service service = factory.createService(new QName(qnameService)); QName port = new QName(qnamePort); Call call = service.createCall(port); call.setTargetEndpointAddress(endpoint); call.setProperty(Call.SOAPACTION_USE_PROPERTY, new Boolean(true)); call.setProperty(Call.SOAPACTION_URI_PROPERTY,""); call.setProperty(ENCODING_STYLE_PROPERTY, URI_ENCODING); QName QNAME_TYPE_STRING = new QName(NS_XSD, "string"); call.setReturnType(QNAME_TYPE_STRING); call.setOperationName(new QName(BODY_NAMESPACE_VALUE "sayHello")); call.addParameter("String_1", QNAME_TYPE_STRING, ParameterMode.IN); String[] params = { "Duke!" }; String result = (String)call.invoke(params); System.out.println(result); } catch (Exception ex) { ex.printStackTrace(); }

137

} }

138

Demo
Building and Running Three Client Programming Models
139

Demo Scenario

Build and run client programs using three client programming models

Stub-based Dynamic proxy DII

Compare the duration of call among the three client programming models

140

10/23/2004

Part III: Web Services Security & Web Services Interoperability

141

Web Service Security over J2EE

142

Web Services Security Issues

? ? ? ? ?

Web Services Security over J2EE

?

Authentication Authorization Integrity and confidentiality Audit Non-repudiation

Current
?

Leverages the existing transport-level security models of J2EE Follow XML and Web services security standards work Message-level security Information about the authentication policy will be included in or available through the service definition (WSDL)
144

Future
?

? ?

143

10/23/2004

Authentication (at Transport level)

?

Example: Basic Authentication

StockQuoteService sqs = getStockQuoteService(..); // Get the instance of stub object setting username & password StockQuoteProvider sqp = sqs.getStockQuoteProviderPort( "<username>", "<password>"); float quote = sqp.getLastTradePrice("ACME");

Basic-authentication (with or without SSL) Symmetric HTTPS (Mutual authentication)

145

146

Authorization
?

Integrity & Confidentiality

?

Gets performed after authentication

Identity of a user is associated with the request after authentication

?

Leverages HTTPS
? ?

Leverages the existing J2EE authorization model

?

SSL supports encryption WSDL document's port address may specify https:

Servlet based endpoint ? who can access what web resources Stateless session bean based endpoint ? who can perform what EJB methods
147

J2EE 1.4 vendors are recommended to support

? ?

XML digital signature for data integrity XML encryption for confidentiality

148

10/23/2004

Auditing
? ?

Non-repudiation
? ?

J2EE 1.4 vendors are recommended to support auditing Future

?

Standard format for record format and programming API still need to be defined

HTTPS falls short on non-repudiation J2EE 1.4 vendors are recommended to support non-repudiation logging Future
?

Standard mechanism for non-repudiation logging

149

150

Demo
Accessing Web service via Basic Authentication (and SSL encryption)
151

Demo Scenario

Redeploying a Web service with Basic authentication enabled through Sun ONE Studio 5 Running client application without passing username and password - it should fail with authorization failure Running client application with username and password
152

10/23/2004

Why More Stringent Security for Web Services?

Web Services Security Standards

153

Point of interaction is more over the internet (as opposed to within an intranet) Interaction between partners with no previously established relationship Program to program interaction (as opposed to human to program interaction) More dynamic interaction (as opposed to static interaction) Larger number of services providers and users
154

Issues with Current Web Security Schemes

XML & Web Services Security Schemes

SSL/TLS/HTTPS

Transport level security (as opposed to message level security) Point-to-point security only, does not handle end-to-end multi-hopped messaging security Security only when data is on the wire, does not secure data off the wire HTTPS does not support non-repudiation HTTP might not be the only transport used No element-wise signing and encryption

155

XML Digital Signature XML Encryption XKMS (XML Key Management Specification) XACML (eXtensible Access Control Markup Language) SAML (Secure Assertion Markup Language) ebXML Message Service Security WS-Security Identity Management & Liberty Project

156

10/23/2004

What is XML Digital Signature ?

Authentication, data integrity (tamperproofing), non-repudiation Joint W3C/IETF effort

XML Signature

XML syntax for representing signature of web resources and portions thereof Procedures for computing and verifying such signatures Canonicalization of XML data Trust in key is out-of-scope

157

Specs: W3C Recommendation, RFC 3075 JSR-105

158

Why XML Digital Signature?

Very flexible, thus can support diverse set of internet transaction models

Can sign individual items of a XML document Can sign multiple items Can sign both local and remote objects
?

Allows detached signature that apply to remote, URI-referenced content

Can sign both XML and non-XML content Allows multiple levels of signing (different signing semantics) to same content
?

XML Encryption
159 160

Sign, co-sign, witness, notarize, etc.

10/23/2004

What is XML Encryption?

Data privacy (Confidentiality) Defines

Example of Encryption (Only credit card element is encrypted)

<purchaseOrder> <name>Alice Smith</name> <address> ... </address> <EncryptedData xmlns='http://www.w3.org/2000/11/temp-xmlenc'> <EncryptionMethod Algorithm="urn:nist-gov:tripledes-ede-cbc"> <s0:IV xmlns:s0='http://somens'>ABCD</s0:IV> </EncryptionMethod> <KeyInfo xmlns='http://www.w3.org/2000/09/xmldsig#'> <KeyName>SharedKey</KeyName> </KeyInfo> <CipherData>A23B45C56</CipherData> </EncryptedData> <prodNumber>8a32gh19908</prodNumber> <quantity>1</quantity> </purchaseOrder>

XML syntax for encrypted data Encrypting/decrypting such data Can encrypt only certain parts of document

W3C Recommendation now JSR 106

161

162

What is XKMS?
?

XKISS: XML Key Information Service Spec.

XKMS (XML Key Management Spec.)

163

A protocol for a trust service for resolving (validating) public keys used in XML Signature and Encryption Uses SOAP over HTTP A protocol for a web service that accepts registration, revocation, recovery of public keys

XKRSS: XML Key Registration Service Spec

XKMS defines protocols between a client and XKMS server

164

10/23/2004

Why XKMS?

PKI is important to Web service PKI is too complex to deal with in many applications

XKMS eases the integration of PKI by moving the complexity of PKI operation to a XKMS server XKMS reduces the processing burden by moving it to a XKMS server

PKI is too heavy for small devices

XACML
(eXtensible Access Control Markup Language)
165 166

So a XKMS server provides a Trust service (PKI Service) to XKMS clients in a form of Web service

What is XACML?

Why XACML?

Define core schema and namespace for authorization policies in XML:

Standardize access control language in XML

Extensible language with flexible semantics No need to develop app-specific languages No need to write policy in several languages Admins only need to understand one language Policies written by different parties can be combined
168

Used against XML elements in XML document Extensible Policy Decision Points (PDPs) involved in SAML might consult policies encoded in XACML to determine whether access will be granted to a resource

Lower costs

Closely aligned with SAML effort

Simpler

Policy composition

167

10/23/2004

XACML Use Case

A patient has patient record including psychiatric notes The patient grants access right to psychiatric notes only to primary care doctor The primary care doctor grants access to patient record to covering doctor, with access restriction following the transmitted documents so that covering doctor has no access to psychiatric notes
169

SAML (Security Assertion Markup Language)

170

What is SAML?
?

Why SAML?
?

Define an XML framework for exchanging authentication and authorization information

Standards are emerging for many facets of collaborative e-commerce, such as:

Various XML security assertions: credentials, authentication, attribute, authorization, etc... Request & response protocol

Business transactions (e.g., ebXML) Software interactions (e.g., SOAP)

? ? ?

Enables Single Sign-On (SSO) OASIS Standard JSR-155

171

But communicating security properties of these interactions isnt well standardized

Low interoperability between PMI solutions Tight coupling within components

172

10/23/2004

Use cases for sharing security information thru SAML

SAML developed three use cases to drive its requirements and design:
Single sign-on (SSO) Distributed transaction Authorization service

#1 Single Sign On (SSO)

?

Logged-in (authenticated) users of Smith.com are allowed to access to sister site Johns.com without relogin
Authenticate
SAML Assertion Request

Smith.com
SAML Assertion Response

Use secured resource without re-login

Johns.com
174

173

#2 Distributed Transaction
?

#3 Authorization Service
?

A car buyer also purchases an auto insurance from insurance.com which is affiliated with cars.com
cars.com

An employ of Works.com orders office supplies directly from Office.com, which performs its own authorization
Works.com
SAML Assertion Response

Buy a car
SAML Assertion Request

SAML Assertion Response

Employee of Works.com

SAML Assertion Request

Buy insurance

insurance.com 175

Office.com 176

10/23/2004

SAML Assertions
Assertions are declarations of fact, according

Authentication statement
?

to someone SAML assertions are compounds of one or more of three kinds of statement about subject (human or program)
Authentication Attribute Authorization

An issuing authority asserts that

subject S was authenticated by means M at time T

Targeted towards Single Sign On uses

177

178

Example assertion with authentication statement

<saml:Assertion > <saml:AuthenticationStatement AuthenticationMethod=password (By means M) AuthenticationInstant=2001-12-03T10:02:00Z>(At time T) <saml:Subject> (Subject S) <saml:NameIdentifier SecurityDomain=sun.com Name=Sang /> <saml:ConfirmationMethod> http://core-25/sender-vouches </saml:ConfirmationMethod> </saml:Subject> </saml:AuthenticationStatement> </saml:Assertion>

Attribute statement
?

An issuing authority asserts that

Subject S is associated with attributes A, B, with values a, b, c

Useful for distributed transactions and authorization services

179

180

10/23/2004

Example assertion with two attribute statements

<saml:Assertion > <saml:AttributeStatement> <saml:Subject>..Sang..</saml:Subject> <saml:Attribute AttributeName=PaidStatus (attribute AttributeNamespace=http://smithco.com> <saml:AttributeValue> (with value PaidUp </saml:AttributeValue> </saml:Attribute> <saml:Attribute AttributeName=CreditLimit (attribute AttributeNamespace=http://smithco.com> <saml:AttributeValue> (with value <my:amount currency=USD>500.00 </my:amount> </saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> A) a)

Authorization statement
?

An issuing authority decides

whether to grant the request by subject S for access type A to resource R given evidence E

B) b)
?

The subject could be a human or a program The resource could be a web page or a web service, for example
182

181

Example assertion with authorization statement

<saml:Assertion > <saml:AuthorizationStatement Decision=Permit (Whether to grant request) Resource=http://jonesco.com/rpt_12345.html> (for res. R) <saml:Subject></saml:Subject> (by Subject S) <saml:Actions ActionNamespace=http://core-25/rwedc > <saml:Action>Read</saml:Action> (for access type A) </saml:Actions> </saml:AuthorizationStatement> </saml:Assertion>

Protocol for Requesting & Receiving Assertions

Asserting Party (Issuing Party)

SAML Assertion Request

SAML Assertion Response

Relying Party (Requesting Party)

183

184

10/23/2004

WS-Security Specification
Set of SOAP extensions for end-to-end SOAP

messaging security
Security schemes at message level

Signing and encrypting SOAP messages by

attaching security tokens to SOAP messages

WS-Security
185

Any combination of message parts: Header blocks,

body, attachments

186

WS-Security Signature Model

Security Token
- Collection of (authority certified) claims

XML Digital Signature Bound to SOAP

SOAP Envelope WS-Security Header Signature KeyInfo
Security Token Security Token Reference SignedInfo Data Reference Data Reference

SOAP Body

Signature
- Establishes signer identity, content integrity - Dependent on key binding claim

Key Binding

Security Token Reference

- Identifies security tokens to satisfy key binding dependencies - May encapsulate security token

Security Token Reference

Security Token Claims

SignatureValue

Data Reference
- Identifies input to digest algorithm 187 188

10/23/2004

WS-Security Encryption Model

XML Encryption Bound to SOAP (Using Reference List)

SOAP Envelope WS-Security Header
Reference List Data Reference

Reference List
- Identifies encrypted content

SOAP Body

Encrypted Data
- Encapsulates encrypted content - May depend on key binding claim to identify encryption key

Encrypted Data KeyInfo

Security Token

Security Token Reference Cipher Data

Encrypted Key
- Conveys encrypted key and Reference List - Dependent on key binding claim
189

Key Binding

Message Content

190

XML Encryption Bound to SOAP (Using Encrypted Key)

SOAP Envelope WS-Security Header
Security Token Key Binding

SOAP Body EncryptedKey KeyInfo

Security Token Reference Encrypted Data Cipher Data

Security Token Reference

Security Token Claims

Reference
Data List Reference Data Reference Cipher Data

Encrypted Data
Cipher Data

Key

Message Content

How They Work Together

191 192

10/23/2004

SAML and Other Standards

SAML and Other Standards

SAML and XML DSig

XML DSig is used for digitally signing and

SAML and XKMS

SAML traffic could be secured by XKMS-based

canonicalizing SAML assertions Authenticating, tamper-proofing (integrity), non-repudiating SAML assertions

PKI (or by other PKI implementation, or by other means entirely)

SAML and XML Encryption

XML Encryption is used for encrypting and

SAML and XACML

XACML could be used to define access

decrypting SMAL assertions assertions

Enforcing privacy (confidentiality) of SAML

193

control/policy as a basis for handling SAML assertion request

194

SAML and Other Standards

SAML and WS-Security

SAML Assertions can be carried as security

tokens defined in WS-Security

SAML and Liberty Project

SAML is used as security information

exchange protocol among Liberty participants

195

10/23/2004

Possible Identity Solutions

Centralized Model Open Federated Model Financial Svcs
Customer Community Online Community Wireless Community

Identity Management & Liberty Project

197

Single Identity Operator

Telecommunications Community

Retail Community

Entertainment Community

Travel Community

198

Players in Federated Identity Model

Multiple Identity Providers Control over ownership and disclosure Multiple Service Providers Providers that are equal and interoperable

Circles of Trust
Name: ID Preferences: .

Supplier Supplier A C

Primary Trust Authority

(my company)

Accts Payable App

Supply Chain Aggregator

Supplier B

External Services

External Services

Calendar

Work Profile

External Services

Manage privacy and preferences Individuals with Multiple Profiles

Employee Circle of Trust

News Source Secondary Trust Authority
(e.g., my airline)

News Source

Primary Trust Authority

(e.g., my bank)

NI NI Service Enabled Merchants Aggregator

News Source

Home Profile

Name: ID Preferences: .

NI Enabled Services

Friends & Family Notification

External Services External Services External Services

199

Consumer Circles of Trust

200

10/23/2004

Evolution of Identity Networks

WS-I & Web Service Interoperability

Separate login for each site Separate login for each network Seamless login across networks

201

202

WS-I Is
An open industry effort chartered to promote Web Services interoperability across platforms, applications, and programming languages. The organization brings together a diverse community of Web services leaders to respond to customer needs by providing guidance, recommended practices, and supporting resources for developing interoperable Web services.

WS-I Is Not
?
?

Is not a source of WS-* specs

These have typically been proprietary specifications from single or small groups of companies, though a few have been submitted to recognized standards organizations

?
? ?

Is not a standards organization

Doesnt produce specs for new technology Profiles existing specifications
204

203

10/23/2004

Basic Profile 1.0

?

WS-I Support in J2EE 1.4

? ?

Profiling
SOAP 1.1, WSDL 1.1 and UDDI 2.0

Consists of 156 conformance requirement

48 related to SOAP 84 related to WSDL 8 related to UDDI 6 related to security

Package WS-I BP 1.0-conforming WSDL documents in your J2EE 1.4 application Containers will take care of all the details:
? ? ? ?

HTTP 1.1 requirements SOAP 1.1 requirements WSDL 1.1 requirements UDDI 2.0 requirements (if supported)

205

206

Supply Chain Management Sample Application

UDDI

Configurator

Warehouse A

Manufacture A

Retailer Web Page

Retailer

Warehouse B

Manufacture B

Warehouse C

Manufacture C

207

10/23/2004

WSDL Descriptions
Web Service Client

Testing Tools
Web Service

Monitor

Log File

Analyzer

Results

209

210

Analyzer
Analyzer Confg File

Test Assertion Document

WSDL Document

Demo
WS-I Sample Application, Monitor, Analyzer
211 212

Analyzer Message Log UDDI Document Conformance Report

XSLT

10/23/2004

Demo Scenario

Running WS-I Supply Chain Management sample application over service endpoints from various companies over the internet
?

Sun, IBM, BEA, Oracle

Running Monitor and Analyzer

Part IV: ebXML & UBL, Ongoing Web Services Standards

213

214

Fact About e-Commerce

U.S. E-commerce in 2000
Source: U.S. Census Bureau

U.S. E-commerce in 2006

Source: U.S. Forrester

Business Web Services

B2C $66bn (6.2%)

B2C $561.8bn (4.4%)

B2B $990bn (93.8%) B2B $12,275.5bn (95.6%)

E-commerce means B2B. And EDI accounts for about three-fourths of it 215 216

10/23/2004

The next big thing is Business Web Services

?

Business Web Services (B2B) Architectural Components (ebXML)

J2EETM
?

Service implementation platform standard Business web services standards Identity system standard Programming language and data representation standards

ebXML and UBL

?

Liberty Project
?

Java and XML

?

B2B collaboration Secure and reliable message delivery Non-repudiation Partner profile Repository for business data objects Standard and commonly agreed upon business documents
218

217

Simple Web Services (WUS) vs. B2B Collaboration (ebXML)

Simple Web Services
l l l l

EAI vs. B2B Collaboration (ebXML)

EAI
l

B2B Collaboration
l l l l

B2B Collaboration
l

l l

Simple interaction Consumer oriented Short-living process No business collaboration No partner profile Not secure, not reliable Does not support non-repudiation No repository support Synchronous

l l

Complex interaction Business oriented Long-running process Supports business collaboration Supports partner profile Secure and reliable Supports nonrepudiation Registry and repository Asynchronous

l l

Within a business organization Centralized control Implicit contract Small number of business processes and participants

l l

Between business organizations Distributed control Explicit contract Potentially large number of business processes and participants
220

219

10/23/2004

Universal Business Language (UBL)

EDI, ebXML, UBL

EDI B2B
Business Agreements
ad hoc TPA

Web B2B
ebXML CPA

Defines a library of standard electronic business documents Plugs directly into existing traditional business and legal practices Eliminates re-keying of data in existing fax-based supply chains Fills the payload slot in B2B frameworks such as the UN/OASIS ebXML initiative (http://ebxml.org) and various WS schemes
221

Business Processes

CASE tool

ebXML BPSS

ebXML Infrastructure (+ Registry/Repository)

Packaging/Transport Standard Messages

VAN

ebXML SOAP UBL Schemas

X12, EDIFACT

UBL Payload Message Conceptualization Implementation

Guidelines UBL Context Methodology

222

W3C

Web Services Standards Activities

223

XML, XML Schema, XSL, XQuery SOAP WSDL Web Services Addressing Web Services Choreography Semantic Web Services SOAP Message Transmission Optimization Mechanism (MTOM) XML Key Management Specification (XKMS) XML Signature XML Encryption
224

10/23/2004

OASIS

OASIS (Continued)

Asynchronous Service Access Protocol (ASAP) Business Transaction Protocol (BTP) * Electronic Business XML (ebXML) * Framework for Web Services Implementation Translation Web Services Web Services Business Process Execution Language (WS-BPEL) Web Services Composition Application Framwork (WS-CAF) Web Services Distributed Management (WSDM) Web Services Interactive Application (WSIA)
225

Web Services Notification (WSN) Web Services Reliable Messaging (WSRM) Web Services Resource Framework (WSRF) Web Services for Remote Portlets (WSRP) Web Services Security (WSS) * Universal Description, Discovery and Integration (UDDI) * Universal Business Language (UBL) * Security Assertion Markup Language (SAML) * Extensible Access Control Markup Language (XACML) *
226

What is SOA?
Principles and practices for designing shared, reusable, distributed services

Java Business Integration (JBI)

227

SOA Attributes:

Separation of service interface from underlying implementation (loose coupling) Promotes service reuse through discoverable and self-describing services Services are course-grained, composable, and rely on a standards based infrastructure
228

10/23/2004

Web Services Enables SOA

SOA Support in J2EE Platform

You can practice SOA without Web services... but.. Web services is the best enabler of SOA

Service interface hides service implementation Reusable Discoverable Compose'able Standard-based Industry momentum

Begins with J2EE 1.4 platform-based Web services Continues with J2EE 5.0 platform enhanced Web services J2EE 5.0 platform extended with JSR 208 (Java Business Integration)

SOA Core Extensible Service Engines Extensible Binding Components

230

229

J2EE Platform+Java Business Integration = Integration Server

SOA Platform

231

232

10/23/2004

A Service

Document-Style Web Services (vs. RPC)

233 234

RPC vs. Document-style

RPC
l l l l l l l

When to use Which model?

RPC
l

Document-style
l l l

Document-style
l

Procedure call Method signature Marshaling Tightly-coupled Point to point Synchronous Typically within Intranet

Business documents Schema Parsing & Validating Loosely coupled End to end Asynchronous Typically over internet 235

Within Enterprise Simple, point-topoint Short running business process Reliable and high bandwidth Trusted environment

l l l l

Between enterprise and enterprise Complex, end to end with intermediaries Long running business process Unpredictable bandwidth Blind trust

236

10/23/2004

Document-Style Web services Support in JAX-RPC

?

Use of document/literal SOAP message (instead of RPC/encoding)

? ?

SOAP body contains XML document, i.e. Purchase order Specified via style and use attribute in WSDL document Attachment contains XML document Specified via MIME binding in WSDL document
237

Fast Web Service

Use of Attachments
? ?

238

Current Performance Data

Loopback request/response latency
Protocol vs. Time (ms)
20 elements

Current Performance Data

Message size
Protocol vs. Size (bytes)
20 elements

25 22.5 20 17.5 15 12.5 10 7.5 5 2.5 0 JAX-RPC encoded JAX-RPC literal RMI/IIOP Protocol RMI

5500 5000 4500 4000 3500 3000 2500 2000 1500 1000 500 0 JAX-RPC encoded JAX-RPC literal RMI/IIOP Protocol RMI

Time (ms)

239

Size (bytes)

240

10/23/2004

Main Goals

The Big Picture

WSDL Unchanged

Provide much better performance Standards for Fast Web Services

- Interoperability

Application Protocol and Data Binding Transport

Application Protocol and Data Binding Transport

Take advantage of Java Web Services stack

- Fast implementation in stack

Can Change

Minimize impact to Web Service developers

- Stack will hide the details
241 242

Technical Goals

Use Cases

Cut overhead of XML processing

- SOAP message size - Marshaling to programmatic types

Web Services within the enterprise Time- and resource-sensitive systems

- Mobile phones - Satellites

Maximize use of APIs, tools and standards

- JAX-* APIs, WSDL

Support for J2ME, J2SE and J2EE technologies

- JSR-172, Web Services for J2ME - End-to-end support

High-performance computing
- Grid computing - Scientific computing

Example: Auto-ID
244

Platform and programming language independent

243

10/23/2004

Technological Requirements

Vanilla XML Encoding

Optimized encoding technology

- Fast infoset, Fast schema and Fast SOAP - Not specific to application

SOAP and XML have limitations

- Larger message size - Inefficient data representation - Marshaling requires more CPU processing

Proven use in network communications

- Large-scale deployment

Platform and programming language independent Existing standards

- Royalty-free and open
245

XML is highly self-describing, but there is a price for this: performance

246

Three Layers of Optimization Opportunity

Vanilla XML Pipeline

Compressible Bytes

Transport layer
- Mechanism: compression - Unit: bytes

Transport
XML 1.0 Bytes

XML information set layer

- Mechanism: binary XML representation - Unit: DOM, SAX or Pull API

Infoset
SAX/DOM/Pul l

Schema binding layer

- Mechanism: binary data representation - Unit: programmatic types
247

Binding

Types

248

10/23/2004

Fast Infoset Pipeline

Compressible Bytes

Fast Schema Pipeline

Compressible Bytes

Transport
XML Infoset Binary Bytes

Transport

Infoset
SAX/DOM/Pul l

Schema-optimized Binary Bytes

Binding

Types

Schema Knowledge

Binding

Types

249

250

Example: Schema Fragment

<complexType name=structType> <sequence> <element name=stringT type=xsd:string/> <element name=integerT type=xsd:integer/> <element name=booleanT type=xsd:boolean/> </sequence> </complexType>

XML and Fast Schema Encoding

XML
25B <stringT>string</stringT> 29B <integerT> 12345678</integerT> 25B <booleanT> true</booleanT>

Fast Schema
7B 4B 1b string 12345678 true

251

252

10/23/2004

Fast Performance Data

Loopback request/response latency
Protocol vs. Time (ms)
20 elements

Fast Performance Data

Message size
Protocol vs. Size (bytes)
20 elements

25 22.5 20 17.5 15 12.5 10 7.5 5 2.5 0

JAX-RPC encoded

JAX-RPC encoded Fast infoset

JAX-RPC literal

RMI/IIOP

JAX-RPC Fast schema

RMI

5500 5000 4500 4000 3500 3000 2500 2000 1500 1000 500 0

Size (bytes)

Time (ms)

JAX-RPC encoded

JAX-RPC encoded Fast infoset

JAX-RPC literal

RMI/IIOP

JAX-RPC Fast schema

RMI

Protocol

Protocol

253

254

ASN.1

Fast Encoding and ASN.1

Schema language for abstract type system Multiple encoding rules

?

Fast infoset encoding

- ASN.1 Schema for XML infoset

Types are independent of encoding

Royalty-free set of standards at ITU-T/ISO In development for nearly 20 years Extensively used in telecom industry Implementations in Java, C and C++ programming languages
255

Fast schema encoding

- W3C XML Schema to ASN.1 mapping

Fast SOAP encoding

- ASN.1 Schema for SOAP

Packed Encoding Rules (PER)

- Most compact and CPU efficient - Other rules could be used (e.g., DER)
256

10/23/2004

Demo Scenario

Demo
Fast Web Service
257

Comparing regular Web service and fast Web service performance in real time using different size of the messages

258

Goals
? ?

Metadata-driven Web Service (JSR 181)

259

Simplify Web services development and deployment dramatically Leverage Java Language Metadata technology (JSR 175)
?

provide an easy to use syntax for describing web services at the source-code level Validate Web services metadata Produce class files containing metadata

Use standard Java compiler (J2SE 1.5)

? ?

Allow Web services metadata to be manipulated by tools

260

10/23/2004

Goals
? ?

JSR 181
?

Enable auto-deployment
?

Like JSP deployment

Java Web Service (JSR 181 WS) file is central

? ? ?

Abstract away details of Web Service implementation and deployment

?

Protocols, WSDL, service endpoints, XML/Java mapping, message formats, deployment descriptors, packaging

Both source and compiled form Web Service metadata annotates 181 WS file 181 WS file is a standard Java source file A Java language extension with compiler support Define Metadata vocabulary for application area
?

JSR 175 used to represent metadata (J2SE 1.5)

? ? ?

Built over existing Web services APIs and technologies

? ?

Hide low-level programming APIs for Web services components and J2EE Like JSP hides complexity of Servlet

Web Services (JSR 181 defines vocabulary)

Metadata in class file and available at run-time

262

261

An Example (Part of a 181 WS File)

@Protocol (httpSoap=true, soapStyle=documentLiteral) @TargetNamespace (namespace=http://schemas.myDomain.com/ws/) public class MyWebService{ @Operation public double zipDistance (String fromZip, String toZip){ . . . return distance.getDistance(fromZip, toZip); } . . . }

Web Services Transaction

263 264

10/23/2004

Transaction for Web services

Web services have different characteristics

Long running business process Multi enterprise and distributed (no single Transaction manager is present)

ACID properties need to be loosened up for Web services

Traditional locking cannot be used for long running process

J2ME & Web Services

265 266

BTP (Business Transaction Protocol) from OASIS

JSR-172

JAX-RPC Subset Overview

Parsing J2ME Web services client

JSR 172 Profile Configuration J2ME device xml/http

Web Services 267

Subset of JAX-RPC 1.0 Additionally specifies runtime SPI-portable stubs No support for the service endpoint model. The subset only provides support for clients to access web service endpoints. Alignment with WS-I Basic Profile Protocol encoding: SOAP 1.1 using XML based protocol

268

10/23/2004

Demo Scenario

Demo
J2ME Web Service
269

Building and running J2ME Web service client application (through an emulator) using Sun ONE Studio 5

270

Thank You!
271