Web Services Programming 1 Day 4

8/13/2019 Web Services Programming 1 Day 4

1/68

1

W e b Se r v i ce Pr o g r a m m i n g

u s i n g X M L a n d Ja v a TM Te c h n o l o g y

2

Sa n g Sh i n

s a n g . s h i n @ s u n . c o mw w w . j a v a p a s s i o n . c o m

Java Te c h n o l o g y Ev a n g e l i s tS u n M i c r o s y st e m s , I n c .

3

Co u r s e s I t e a c h

? XML (2001)

? Distributed programming using JiniTMandJavaSpacesTMt echnology (2002)

? Web services programming using XML andJava

TM

t echnology (on-going)

? www.javapassion.com/ webservices? Free " online" J2EETMprogramming (on-going)

? www.javapassion.com/ j2ee

? Free Advanced J2EE programming

? www.javapassion.com/ j2eeadvanced4

Pr e se n t a t i o n o f t h i s t a l k i sa v a i l a b l e f r o mw w w . j a v a p a s s i o n . c o m

10/23/2004


2/68

5

A g e n d a? Part I

? Web Services Overview? Core Web Services Standards: SOAP, WSDL, UDDI

? Par II? Web Services Development using Java Technology

? Part III? Web Services Security? Web Services Interoperability and WS-I

? Part IV? ebXML & UBL? Ongoing Web Services Activities 6

Pa r t I :W e b Se r v i c e s O v e r v i e w &

Co r e W e b Se r v i c e s St a n d a r d s

7

W h a t i s & W h yW eb Se rv i c es?

8

W e b Se r v i ce s D ef i n i t i o n b y W 3 C

A Web service is a software application

identified by a URI,

whose int erfaces and bindingare capableof being defined, described and

discovered byXML arti factsand supports direct interactionswith other

software applications

using XML based messages

via internet-based protocols

10/23/2004


3/68

10

Trad i t i on a l C/ S vs . Web Se rv i ces

Within enterprise

Tied to a set ofprogramming languages

Procedural Usually bound t o a

particular transport Tightly-coupled Effi cient processing

(space/ time)

Between ent erprises

Program languageindependent

Message-driven Easily bound to

different t ransports Loosely-coupled Relatively not efficient

processing

Traditional C/S Web Service

11

W e b A p p l i c a t i o n v s . W e b Se r v i c e s

User-to-programinteraction

Static integration ofcomponents

Monolit hic service

Program-to-programinteraction

Possibility of dynamicintegration ofcomponents (in thefuture)

Possibility of serviceaggregation (in thefuture)

Web Application Web Service

12

Web Services

SystemService

AppService

SystemService

AppService

SystemService

AppService

A Computer

System Software

Applicat ion

MonolithicSoftware

The Network

I m p a c t o f W e b S e r v ic e s o n S o f t w a r e : A p p l i c a t i o n D i s - I n t e g r a t i o n

10/23/2004


4/68

13

I m p a c t o n I n t e g ra t i o n :Tr i g g e r t h e N e t w o r k Ef f e ct

Web Serv i ces

Cus tomI n t e g r a t i o n

M e t c a l f e s La w : Th e v a l u e o f t h e n e t w o r k i sp r o p o r t i o n al t o t h e s q u a r e o f t h e n u m b e r o f

14

W h e r e isW eb Se rv i c es?

15

St a t e o f W e b Se r v i ce s

Technology/ Standards are sti l l evolving SOAP, WSDL, UDDI are notenough

Business web servicesis the next bigthing, but more works are neededin Quali ty of Service, Management, Metering

Securit y, t ransaction, reliabil it y

Work flow, Identity management,

Provisioning, Accounting and billing

Performance, scalability, availability

Web services wil l be adopted in phases

16

W e b Se r v i c e s A d o p t i o n P h a s e s

? 1stPhase SimpleWeb Services (Now)? Consumer-focused, stat eless, SOAP over HTTP/ S

? 2ndPhase EAIWeb Services (Begun)? Deployed wit hin organizat ion boundaries to

enable internal integration

? 3rdPhase Business Web Services(2004?)? Deployed on extranets to enable business

transactions with trading partners, suppliers,and customers, ebXML & UBL

10/23/2004


5/68

17

SOAP(Si m p l e O b j ec t

Access Pro toco l )

18

W h a t i s S OA P ?

Simple Object AccessProtocol

Wire protocol similar to IIOP for CORBA JRMP for RMI

XML is used fordata encoding text based protocol vs. binary protocol

Supports XML-based RPC

19

W h a t S O AP i s N o t

Nota component model

So it will notreplace objects and components,i.e. EJB, JavaBeans

Nota programming language

So it will notreplace Java

Nota solut ion for all

So it will notreplace other distributedcomputing t echnologies such as RMI

20

W h a t d o e s SO A P D e f i n e ?

Message Envelope

Encoding Rules

RPC Convent ion

Binding with underlying protocols

10/23/2004

6/68

21

SO A P M e s sa g e Fo r m a t

SOAP Envelope

SOAP Header

SOAP Message

Primary MIME part(text/xml)

Attachment

Attachment

SOAP Body

Header Entry

Header Entry

Body Entry

Body Entry

Attachment

22

SO A P M e s sa g e En v e l o p e

Encoding information

Header Optional

Couldcontain context knowledge Security

Transaction

Body RPC methods and parameters

Containsapplication data

23

SO A P En c o d i n g

Rules of expressing application-defineddata types in XML

Based on W3C XML Schema

Simple values

Built-in types from XML Schema, Part 2 (simpletypes, enumerations, arrays of byt es)

Compound values

Structs, arrays, complex t ypes

24

SOAP RPC Requ es t Exam p l e

< S O A P - E N V : E n v e l o p e x m l n s : S O A P -E N V = " " S O A P - E N V : e n c o d i n g S t y l e = " " >

< S O A P - E N V : H e a d e r >

< / S O AP -E N V : H e a d e r > < S O A P - E N V : B o d y >

< m : G e t L as t T r a d eP r i ce x m l n s : m = s o m e _ U R I " >

< t i c k e r Sy m b o l > S U N W < / t i c k e r Sy m b o l >

< / m : G e t L a st T r a d e P r i c e >

< / S O AP -E N V : B o d y >

< / S O AP -E N V : En v e l o p e >

10/23/2004

7/68

25

SOAP RPC Response Example

< S O A P - E N V : E n v e l o p e

x m l n s : S O A P -E N V = " " S O A P - E N V : e n c o d i n g S t y l e = " " >

< S O A P - E N V : H e a d e r >

< / S O AP -E N V : H e a d e r >

< S O A P - E N V : B o d y >

< m : G e t L a st T r a d e Pr i c e Re s p o n se x m l n s : m = s o m e _ U R I " >

3 0 . 5

< / S O AP -E N V : B o d y >

< / S O AP -E N V : En v e l o p e >

26

SOAP RPC

Information needed for a method call:

The URI of the target object

< S O A P - E N V : B o d y >

< m : G e t L a s t T r a d e P r i c e

x m l n s : m = h t t p : / / s t o ck s. c o m / St o c k Qu o t e s" > SU N W < / t i c k e r S ym b o l > < / m : G e t L a st T r a d e Pr i c e >

< / S O AP -E N V : B o d y >

27

SOAP RPC

Information needed for a method call: The URI of the target object Method name

< S O A P - E NV :B o d y > < m : G e t L a s t T r a d e P r i c ex m l n s : m = h t t p : / / s t o ck s .c o m / St o c k Q u ot e s " >

< t i c k e r Sy m b o l > S U N W < / t i c k e r S ym b o l > < / m : G e t L a s t Tr a d e P r i c e> < / S O A P- EN V : B o d y >

28

SOAP RPC

Information needed for a method call: The URI of the target object Method name Parameters

< S O A P - E N V : B o d y > < m : G e t L a s t T r a d e P r i c e

x m l n s : m = h t t p : / / s t o ck s. c o m / St o c k Qu o t e s" > < t i c k e r Sy m b o l > SU N W < / t i c k e r S ym b o l > < / m : G e t L a st T r a d e Pr i c e > < / S O AP -E N V : B o d y >

10/23/2004


8/68

29

Q u i c k W SD L Tu t o r i a l

30

W h a t i s W S D L?

XML language for describingweb services

Web service is described as

A set of communication endpoints (ports)

Endpoint is made of two parts

Abstract defini t ions of operations and messages

Concrete bindingto networking protocol (andcorresponding endpoint address) and messageformat

Why this separation?

Enhance reusability(as we will see in UDDIreference to WSDL document )

31

W h y W SD L?

Enablesautomationof communicat iondetails between communicating partners

Machines can read WSDL

Machines can invoke a service defined in WSDL

Discoverable through registry Arbitration

3rd party can verify if communication conformsto WSDL

32

W S DL D o c u m e n t Ex a m p l e

? Simple service providing stock quotes

? A single operation calledGetLastTradePrice

?

Deployed using SOAP 1.1 over HTTP? Request takes a ticker symbol of type

string

? Response returns price as afloat

10/23/2004


9/68

33

Types

Message

Operation

Port Type

Binding

Port

Service

W SD L El e m e n t s

34


Types Data type definitions Used to describe exchanged messages

Uses W3C XML Schema as canonical typesystem

35

W SD L Ex a m p l e : Ty p e s

36


Messages Abstract , t yped defini ti ons of databeing

exchanged

Operations

Abstract description of an action Refers t o an input and/ oroutput messages

Port type Collectionof operations Abstract definit ionof a service

10/23/2004


10/68

37

E x a m p l e :M e s sa g e s , O p e r a t i o n , Po r t t y p e

38


Binding

Concrete prot ocol and data formatfor apart icular Port type

Protocol example: SOAP 1.1 over HTTP or SOAP1.1 over SMTP

Port

Defines a single communication endpoint

Endpoint addressfor binding

URL for HTTP, email address for SMTP

Service Aggregate set of related ports

39

Ex a m p l e : B i n d i n g , P o r t , Se r v i ce

My first service

40

U D D I

10/23/2004


11/68

41

Se r v i c e Ar c h i t e c t u r e

UDDIdefines a way to publish and find

information about Web services.

UDDI

Registry

1. Service Registers

PUBLISH

3. Client callsService

BIND

2. Client RequestService Location

FIND

WebService

ServiceClient

42

Bus i ness Reg i s t r y Com ponen ts :

Informationabout thebusiness (address,contacts,...)

Categorization of thebusiness and its services

Technical informationabout how to invoke a

service

White Pages

Yellow Pages

Green Pages

43

U D D I D a t a T y p e s

BusinessEntity

BusinessService

BindingTemplate

BindingTemplate

Tmodel

Business Ent it y White Pages informat ion

Business Services Yellow Pages information

Binding Templat es Green Pages information

Contains references totModels

tModels Service Type Definit ions

Contains references to WSDLdocuments

Tmodel

44

B u s i n e s s E n t i t y

businessEntity

businessKeynameURLdescriptioncontacts

businessServicesidentifierBagcategoryBag

PhoneAddressEmail

Contact

businessService

PhoneAddressE-mail

Contact

businessService

serviceKeyNameDescriptionBindingTemplates

keyedReference

tModelKeykeyNamekeyValue

keyedReference


keyedReference


keyedReference


Top-level datastructure that holds

descriptive informationabout a businessentity

Service descriptionsand technicalinformation are

expressed within abusinessEntity

10/23/2004


12/68

45

B u s i n e s s S e r v i c e

StockQuoteService (...)

(...)

(...)

http://example.com/stockquote

Represents thebusiness services

provided by theb u s i n e s s E n t i t y

Unique key usedto represent aservice

Name of theservice

ContainsB i n d i n g T e m p l a t e structures

46

B i n d i n g T e m p l a t e

StockQuoteService (...)

(...)

(...)

http://example.com/stockquote

SpecifiesNetwork

endpointaddress

Contains areference to atModel

47

t M o d e l

Service type definition

Is expected to be created by industry

consortium Business entities create businessEntity's,

businessServices, and bindingTemplates

Shared by business entities Has a reference to WSDL document

Enables quick search of all businessentities which supports a particular service

Contains CategoryBag

48

t M o d e l Ex a m p l e

StockQuote Service

WSDL description of a standard stock quote service interface

WSDL source document.

http://stockquote-definitions/stq.wsdl

10/23/2004


13/68

49

P u b l i s h i n g S e r v i ce s Publishers interface

Save things

save_business save_service save_binding save_tModel

Delete things delete_business delete_service delete_binding delete_tModel

security get_authToken discard_authToken

4 messages to saveeach of the 4structures

Each save message accepts asinput the authTokenand one ormore corresponding structures.

4 messages to deleteeach of the4 core structures

They all accept the correspondinguuidkey as the parameter.

Security:

request an authentication token

inform registry that the authTokenis no longer valid.

50

P ro g r a m m e r ' s A PI :Se rv i ce D i scove ry

Inquiry interface Find things

Find_business Find_service

find_binding

find_tModel

Get details Get_businessDetail

get_serviceDetail

get_bindingDetail Get_tModelDetail

Taxonomy interface validate_categorization

Browse 4 messages to find

each of the 4structures

Drill-down The get call can be

used to getinformation regardinga specific instance ofany of the 4 datatypes, given the key

51

U D D I Ru n s O v e r SO A P

User

UDDISOAP Request

UDDISOAP Response

UDDI Registry

Node

HTTPServe

r

SOAPProcesso

rUDDI

RegistryService

B2B DirectoryCreate, View,Update, and

Deleteregistration

sPlatform-neutral

52

SOAP M essage Exam p l e fo rg e t _ s e r v i c eD e t a i l r e q u e s t

6FD77EF6-E7D6-6FF6-1E41-EBC80107D7B5

10/23/2004

14/68

53

SO A P M e s sa g e Ex a m p l e f o rge t_se rv i ceDe ta i l r esponse< E n v e l o p e > < s e r v i c e D e t a i l g e n e r i c = " 1 . 0 " o p e r a t o r = " X M e t h o d s " > < b u s i n e s s S e r v i c e s e r v i c e K e y = " 6 F D 7 7 E F 6 -E 7 D 6 - 6 F F6 - 1 E 4 1 - EB C 8 0 1 0 7 D 7 B 5 "

b u s i n e s s K e y = " D 1 3 8 7 D B 1 - C A 0 6 - 2 4 F 8 - 4 6 C 4 - 8 6 B 5 D 8 9 5 C A 2 6 " > < n a m e > C u r r e n c y E x c h a n g e R a t e < / n a m e > < d e s c r i p t i o n > E n d p o i n t f o r s e r v i c e < / d e s c r i p t i o n > < d e s c r i p t i o n > I M P L E M E N T A T IO N : g l u e < / d e s c r i p t i o n > < d e s c r i p t i o n > C O N T A C T E M A I L : s u p p o r t @ x m e t h o d s . n e t < / d e s c r i p t i o n > < b i n d i n g T e m p l a t e b i n d i n g K e y = " 0 0 3 6 D EB C -2 F 1 B -E B 8 4 -0 9 E 2 -3 A 4 3 3 2 C 3 E8 B 4 " s e r v i c e K e y = " 6 F D 7 7 E F 6 - E 7 D 6 - 6 F F 6 - 1 E 4 1 - E B C 8 0 1 0 7 D 7 B 5 " > < d e s c r i p t i o n > S O A P b i n d i n g < / d e s c r i p t i o n > < a c c e s s P o i n t

U R L Ty p e = " h t t p " > h t t p : / / s e r v i c e s .x m e t h o d s . n e t : 8 0 / s o a p < / a c c e s sP o i n t > < t M o d e l I n s t a n c e D e t a i l s > < t M o d e l I n s t a n c e I n f o t M o d e l K e y = " u u i d : D 7 8 4 C 1 8 4 -9 9 B 2 - D A2 5 - ED 4 5 -

3 6 6 5 D 1 1 A1 2 E 5 " / > < / t M o d e l I n s t a n ce D e t a i l s> < / s e r v i c e D e t a i l > < / E n v e l o p e >

54

U D DI Br o w se r i ns o a p c l i e n t . c o m

D e m o

55

U D D I B r o w s e r inw w w . s o a p c l i e n t . c o m

56

Se a r c h f o r a b u s i n e s s v i a B u s i n e s s N a m e

10/23/2004


15/68

57

U D D I B r o w s e r inw w w . s o a p c l i e n t . c o m

58

Bus i ness En t i t y

59

Li s t o f Se rv i ces

60

A pa r t i cu l a r Se rv i ce

10/23/2004


16/68

61

B in d i n g Te m p l a t e

62

t M o d e l

63

W S DL d o c u m e n t o f t h e s e r v i ce

64

UDDI ove r SOAP Requ est

10/23/2004


17/68

65

UDDI ove r SOAP M essage

66

Ex e c u t e a s e r v i c e (D e l a y e d s t o c k q u o t e )

67

Ex e c u t e a s e r v i c e ( De l a y e d s t o c k q u o t e )

68

R e su l t o f d e l a y e d s t o c k q u o t e s e r v i ce Ex e c u t i o n

10/23/2004


18/68

69

Acc essi ng Am azon . comt h r o u g h a W e b se r v ice

D e m o

70

D e m o Sc e n a r i o

Accessing Amazon.com Web service in

real-time through a browser Accessing Amazon.com Web service in

real-time using Swing applicat ion, whichuses Sun Java Studio generat ed stublibrary

71


Amazon.comBrowser

Web servicesclient

HTML/HTTP

XML/SOAP

72

P a r t I I :

W e b Se r v i c e s D e v el o p m e n tu s i n g Ja v a Te c h n o l o g y

10/23/2004


19/68

73

Ja va API sf o r W e b Se r v i c e s

74

Jav a APIs fo r SOAP, W SDL, UD DI

SOAP Messaging JAXM (JSR 67), SAAJ, JAX-RPC (JSR 101), JMS

WSDL Java API for WSDL (JSR 110)

JAX-RPC (JSR 101)

UDDI JAXR (JSR 67)

75

J2 EE W e b Se r v i c e s Fr a m e w o r k

J2EE 1.4 (JSR 151)

Web services for J2EE (JSR 109)

JAX-RPC (JSR 101)

JAXR SAAJ

EJB 2.1

76

Java AP Is f o r XM LD ocu m e n t M a n a ge m e n t

JAXP (Java API for XML processing, JSR 05)

Assembly language for XML document processing

JAXB (Java API for XML data-binding, JSR 31)

Higher level language for XML document processing

Streaming API for XML (JSR 173)

Pull-parsing API based on Iterator

Gives parsing controlto programmers

10/23/2004


20/68

77

Java AP Is f o r XM L Secu r i t y

XML Digital Signature (JSR 105)

XML Encrypt ion (JSR 106) XML Trust Service (JSR 104)

Secure Assertion Markup Language(SAML, JSR 155)

WS-Security (JSR 183)

78

M o r e Ja v a A P I s f o r W e b S e r v i c e s

XML Transactioning API for Java (JSR 156)

Java API for OASIS BTP Web Services for J2ME (JSR 172)

SOAP messaging for J2ME devices

Web Services Metadata for J2EE(JSR 181) Metadata based Web services

Java Business Integration (JSR 208) Foundation for Service-Oriented-Architecture (SOA)

79

W eb Se rv i c es

Su p p o r t in J2EE

80

W ha t I s a J2EE W eb Se rv i ce?? A set of endpoints (port s)operat ing on

messages

? Ports are operating wit hin a container Container provides runtime environment

Contract for runtime environment are specified inJAX-RPC, EJB 2.1, JSR 109

? Service is described abstractly in WSDLdocument and published to a registry

WSDL specifies a contract between service providerand client

10/23/2004


21/68

81

W e b Se r v i ce Co m p o n e n t a n dC o n t a i n e r

Container vs. Component model Web services components get executed wi th in

a container

Container provides host executi onenvironment

Components are portable

Web service component is 1st-classJ2EEcomponent along wit h JSP, Servlet, EJBcomponents in J2EE 1.4

82

W e b S e r v ic e Co m p o n e n t s

Source: Web Services for J2EE (JSR 109), V1.0

W e b s e r v i c e sc o m p o n e n t s

83

W e b S e r v i c e C o n t a i n e r? Provides

? Life cyclemanagement of web servicecomponents

? Provides a listenerfor WSDP port address

? Listerner t hen dispatches client requeststo web

services components? Runtime services: Security services

? Wil l use existing containers? Web container for Servlet-based endpoint

? EJB container for EJB-based endpoint

84

W e b Se r v i ce s En d p o i n tA r c h i t e c t u r e

10/23/2004


22/68

85

W eb Serv ices for th e J2EE 1.4 Plat for m

Client View

JAX-RPC Server View

Servlet based endpoint (port)

JAX-RPC

Runtime is provided by Web container

Stateless Session Bean based endpoint (port )

EJB 2.1

Runt ime is provided by EJB container

86

J2 EE 1 . 4 W e b Se r v i c e s Fr a m e w o r k

J2EE 1.4 is an umbrella framework

for Web services Web services for J2EE (JSR 109)

JAX-RPC

SAAJ

JAXR

EJB 2.1

Connector architecture 1.5

87

W eb Serv i ces fo r J2EE (JSR 10 9)

? Addresses overall Web services architectureover J2EE

Cli ent model

based on JAX-RPC

Server programming model based on JAX-RPCand EJB 2.1

Deployment descriptor and packaging

WSDL binding

Security

Incorporates JAX-RPC, EJB 2.1 88

JAX-RPC

Servlet-based Web service endpoint model

XML data types to/ from Java types mapping

WSDLto/ from Javamapping

JAX-RPC Client Programming Model s SOAP Message Handler framework

Extensible type mapping

We will talk about t he above in detail l ater on!

10/23/2004


23/68

89

JAX-RPC Arch i t ec tu re D iag ram

Server -s ide JAX-RPCR u n t i m e S y s t e m

Co n ta in e r

JAX-RPC

Se r v i c e En d p o in tWSDLJava

W S D L D o cu m e n t

HTTP

Cl ient -s ide JAX-RPCR u n t i m e S ys t e m

S O A P

Co n ta in e r

JavaWSDLG e n e r a t e d C o d e

JAX-RPC

Cl i e n t

90

SAAJ

Handles l ow-level SOAP message handli ng

Contains t he API for creating and populating aSOAP messages conforming t o SOAP 1.1 and SOAPwith Attachment specifi cati ons

Used by high-level APIs (such as JAX-RPC runt ime)

Contains API necessary for sending request-response (non-provider-model)messages

Separated out from JAXM 1.0 into JAXM 1.1and SAAJ 1.1

91

W eb Serv i ces Sup po r t i n EJB 2 .1

Defines Stateless Session Bean-based Webservices endpoint model

Stateless session bean can be web servicesimplementation

Web services endpoint interface (servicedefinit ion interface) for Stateless session bean

Can implement SOAP Message Handlers forStateless session bean based endpoint

92

JAXR

Standard Java API for performing registryoperations over diverse setof registries

Web service publication & discovery

Aunified information model for describingbusiness registry content

Providesmulti-layered API abstractions

Level 0: for UDDI

Level 1: for ebXML registry/ reposit ory

10/23/2004


24/68

93

M essage -Dr i ve n Bean s (EJB 2 .1 )

Message-driven bean (MDB) contracts are

extended to support additional messaging types(e.g., JAXM) in addition to JMS

JMS MDB implementsjavax.jms.MessageListener

JAXM MDB implements eitherjavax.xml.messaging.One-wayListenerorjavax.xml.messaging.ReqRespListener

94

W eb Se rv i ceD ev el o p m e n t St e p s

Ove r J2 EE

95

St e p s f o r De v e l o p m e n t a n dD e p l o y m e n t o f W e b S e r vi ce s:

I. Definea Web service

II. Implementt he Web service

III. Producedeployment ready package

IV. Deploypackage over J2EE platform

V. Publish the Web service and bindinginformation to aservice registry

VI. Serveservice requests from client96

I . De f i n i n g a W e b S e r v ic e Web service is defined in

WSDLor

Web service endpoint interface (Java interface)

Top-down

WSDL is created (or found) f irstbeforeit s implementation

Bottom-up

WSDL gets generated from existingJ2EE components

10/23/2004


25/68

97

Se r v i c e En d p o i n t I n t e r f a c e

A Java interface type as specified in JAX-RPC

Extendsjava.rmi.Remote

Needed for both servlet-based andstateless session bean based endpoint

Could be generated from WSDL

Declared in Web service deploymentdescriptor

98

public interface StockQuoteProvider extends java.rmi.Remote {

public float getLastTradePrice(String tickerSymbol) throws java.rmi.RemoteException; ... }

E x a m p l e :S e r v i c e E n d p o i n t I n t e r f a c e

99

I I. I m p l e m e n t W e b Se r v i ce

1. Choose implementation form

Java class (for servlet-based endpoint )

Stateless session bean

2. Implement business logic for methods

Deployment tools generate needed art ifacts forruntime

Container delegates invocations on serviceendpoint to either Java class or session beaninstance

3. Create deployment descriptor100

public class StockQuoteProviderImpl

implements StockQuoteProvider{

public float getLastTradePrice(String tickerSymbol)

throws java.rmi.RemoteException{ // business logic for method

}}

Examp le Imp lemen ta t i on :Java Class for Servl et -ba sed En dp oi nt

10/23/2004


26/68

101

Ex a m p l e I m p l e m e n t a t i o n :Sta te l ess Sess ion Bea n Class

public class StockQuoteProviderBean

implements javax.ejb.SessionBean{

.. .

public float getLastTradePrice(String tickerSymbol)

throws java.rmi.RemoteException{

// business logic for method

}

.. .

}

102

I II . Cr e a t e D e p l o y ' a b l e p a c k a g e? Ready-to-deploy' ablepackage

WAR fil e (servlet-based) EJB-JAR file (stateless session bean based)

? Standardizationfor portabil it y

Package structure

Web Services Deployment descriptor

103

Des ign Goa l s J2EE 1 .4 W ebSe r v i ce s Fr a m e w o r k? Portabilityof Web services component

Over different vendor plat form

Over different operat ional environment

? Leveraging existing J2EEprogrammingmodelsfor service implementation

? Easyto program and deploy

High-level Java APIs

Use existing deployment model

104

P a ck a g e Co n t a i n s? WSDL document

? Service endpoint interface

? Service implementation

? Web Services Deployment descriptor

10/23/2004

27/68

105

Web Serv ices Dep loyment Descr ip to r

webservices.xml

< w e b s e r v i c e s > < w e b s e r v i c e - d e s c r i p t i o n > < w e b s e r v i c e - d e s c r i p t i o n - n a m e > J o e s S e r v i c e s < / w e b s e r v i c e -d e s c r i p t i o n - n a m e > < w s d l - f il e > M E TA -I N F / j o e . w s d l < / w s d l - f i l e > < j a x r p c -m a p p i n g - f il e > M E TA -I N F / j o e s _ m a p p i n g s . x m l < / j a x r p c -m a p p i n g - f i l e> Jo e P o r t < s e r v i c e - i m p l - b e a n > < e j b - l i n k > Jo e E JB < / e j b - l i n k > < / s e r v i c e -i m p l - b e a n > < / w e b s e r v i c e -d e s c r i p t i o n >< / w e b s e r v i c e s >

106

I V . De p l o y P a c k a g e

Responsibility of Container (or deployment

tool) Validation of t he package

Creation of runti me arti facts

Configurat ion of t he server s SOAP requestlisteners for each port (binding to a port)

Generation of concrete WSDL document

Publication of Web services

107

W SD L t o / f r o m Ja v aM a p p i n g

108

Ex a m p l e : M a p p i n g o f W S DL p o r t T y p e t oSe r v i c e D e f i n i t i o n I n t e r f a c e


28/68

109

JAX-RPC Rela t ionsh ip to WSDL

Toolsare used to convert between

WSDL documents and sets of Javaremote interfaces

JAX-RPCdescribes a Web Service as acollection of remote interfacesand

methods

WSDLdescribes a Web Service as acollection of portsand operations

110

B u i l d i n g a W e b Se r v i ceus i ng Sun Jav a St u d i o

IDE

D e m o

111

D e m o S ce n a r i o

Exposing methods of a Java class as aWeb servi ce using Sun ONE Studio 5(Bottom-up approach)

Packaging and deploying a Web serviceat Web-ti er over Sun ONE App server

using Sun ONE Studio 5 Test ing the Web service through a

browser using automatically generatedJSP pages and custom t ags

112

SOAP

M e ssa g e H a n d l e r

10/23/2004

29/68

113

SO A P M e ss a g e H a n d l e r s

Handlers let you access/ modify SOAPrequest and response messages Typical ly used to process service context s in SOAP

header blocks

Can be used to extend functionalit y of Webservices runtime system

? J2EE containers (which provide Web servicesruntime) are likely to use them internally toprovide session/ tr ansacti on propagation

Example handlers: encryption, decryption, authenti cati on,

authorization, logging, auditi ng, caching 114

SO A P M e s sa g e H a n d l e r s

Pluggable and chainable Through standardized programming API

Portable across implementat ions

Has its own li fe-cycle JAX-RPC runt ime system cal ls init (), destroy()of a

handler

Handler instances can be pooled

MessageCont ext is used to shareproperties among handlers in a handlerchain

115

SO A P M e s sa g e H a n d l e r s

Se r v i c e

E n d p o i n t ( P o r t )

H a n d l e r

#1

H a n d l e r

#2

S O A P M e s s a g e< Re q u e s t>

S O A P M e s s a g e< Re s p o n s e >

H a n d l e r Ch a i n

116

Ex a m p l e S OA P M e s sa g e H a n d l e rpackage com.example;public class MySOAPMessageHandler implementsjavax.xml.rpc.handler.Handler{ public MySOAPMessageHandler() { ... } public booleanhandleRequest(MessageContext context, HandlerChain chain){ try { SOAPMessageContext smc = (SOAPMessageContext)context; SOAPMessage msg = smc.getMessage(); SOAPPart sp = msg.getSOAPPart(); SOAPEnvelope se = sp.getEnvelope(); SOAPHeader sh = se.getHeader();

// Process one or more header blocks // ... // Next step based on the processing model for this handler } catch(Exception ex) { // throw exception } } // Other methods: handleResponse(), handleFault(), init(), destroy()}

10/23/2004


30/68

117

B u i l d & D ep l o y a c h a i no f Ser ver s id e SOAPM e ssa g e H a n d l e r s

D e m o

118


Write SOAP message handler codes Dump intercept ed SOAP messages

Using Sun ONE Studio 5, conf igure andredeploy a Web service wit h a chain ofSOAP message handlers

Run any client to access the redeployedWeb service and see the dumped SOAPmessages

119

Sess ionM a n a g e m e n t

120

Se ssi o n M a n a g e m e n t JAX-RPC runt ime systemmanages session

Service client or service developer do not have todeal with session management

Supported Session management schemesover HTTP Cookie-based URL rewriting

SOAP Header-based session managementscheme in the future

10/23/2004

10/23/2004


31/68

121

Sess ionM a n a g e m e n t

D e m o

122


Perform a series of Web services callsthrough which a session state ismaintained

123

W eb Se rv i c e Cl i en t

D ev e l o p m e n t St e p sOver J2EE

124

W e b S e r v i c e s Cl i e n t V i e w

Independent of how an XML based RPCservice (service endpoint ) is implemented onthe server side

Generates a Java based cl ient siderepresentation for a service from WSDL

document Must notbe exposed or tied to a specific

XML based protocol, transport or anyimplementation specific mechanism

Can be standalone app, Web-tiercomponent s, EJB beans

10/23/2004

10/23/2004


32/68

125

WSDL Document

W S D L V i e w o f a W e b S e r v ic e

Service A Binding "FooB"

SOAP/ HTTP

Port Type "FooPT"

Operation "Op1"

Operation "Op2"Service B

Port "Bar"

Port "Xyz"

Port ...

Http:// .../ foo

Port "Foo"

126

W e b S e r v i c e s Cl i e n t V i e w Abstract part of WSDL document (PortType) is

represented by Service Endpoint Interface

Container provides actual implementations ofService Endpoint Interface Stub or dynamic proxy

Concrete part of WSDL document (Service, Port)is represented by Service Interface Container provides actual implementation of

Service interface Service object

Service object is a factory class for stub or dynamicproxy

127

W e b Se r v i c e s Cl i e n t A r c h i t e c t u r e

Service

EndpointInterface

ServiceInterface

ClientPort

Container

128

D e v . St e p s f o r W e b S e r v i c e Cl i e n t

1.Discover WSDLdescript ion of service

2.Identify service provider endpoint address

3.Get client-side Web services code artifacts(i.e. stub or dynamic proxy)

Code artifacts are generated by container (ordeployment tool)

4.Send messages to endpoint s that provideservice implementation (through stub ordynamic proxy)

5.Receive back messages that contain results

10/23/2004

10/23/2004


33/68

129

Public class InvestmentBean implements SessionBean{ public void checkPortfolio(...) {

// Get Service object through JNDI

InitialContext ctx = new InitialContext(); StockQuoteService sqs =

(StockQuoteService) ctx.lookup( "java:comp/env/service/StockQuoteService");

// Get stub or dynamic proxy object from // Service object which functions as a factory StockQuoteProvider sqp= sqs.getStockQuoteProviderPort();

// Invoke a method to Web service float quotePrice = sqp.getLastTradePrice(...); ... }

Ex a m p l e : W e b s er v i c e Cl i e n t

130

JAX-RPC Cl i e n tP r o g r a m m i n g

M o d e l s

131

Cl i en t P r o g r a m m i n g M o d e l s

Stub-based (l east dynamic) Both interface (WSDL) and implementaion

(stub) created at compile time

Dynamic proxy Interface (WSDL) created at compile t ime

Implementation (dynamic proxy) created atruntime

Dynamic invocation interface (DII) Both interface (WSDL) and implementaion

created at runtime

132

St u b -b a s ed I n v o ca t i o n M o d e l

Stub class gets generated at compile time

All needed value classes are also generated

Instantiated using vendor-generated Serviceimplementation class

Stub class is bound to a specific XML protocol(i.e. SOAP) and transport (i.e. HTTP)

Best performance

Stub class implements

javax.xml.rpc.Stub interface Web service definition interface

10/23/2004

10/23/2004


34/68

133

St u b Cl a s s H i e r a r c h y

javax.xml .rpc.Stub

com.example.stockQuoteProvider

com.example.StockServiceSoapBinding_Stub

javax.xml .rpc

com..xml.rpc

134

D y n a m i c Pr o x y -b a s e d I n v o c a t i o nM o d e l Dynamic proxy is generated on the fly

by JAX-RPC client runtime

Applicat ion provides the Web servicedefinition interfacethe dynamic proxyconforms to during runtime

Easiest to program but slower thanstub-based

- implementation object created and casted

135

Ex a m p l e : D y n a m i c Pr o x y Cl i e n t package proxy; import java.net.URL; import javax.xml.rpc.Service; import javax.xml.rpc.JAXRPCException; import javax.xml.namespace.QName; import javax.xml.rpc.ServiceFactory; public class HelloClient {

public static void main(String[] args) { try { String UrlString = "http://localhost:8080/ProxyHelloWorld.wsdl"; String nameSpaceUri = "http://proxy.org/wsdl"; String serviceName = "HelloWorld"; String portName = "HelloIFPort";

URL helloWsdlUrl = new URL(UrlString);

ServiceFactory serviceFactory = ServiceFactory.newInstance();

Service helloService = serviceFactory.createService(helloWsdlUrl, new QName(nameSpaceUri, serviceName));

HelloIF myProxy = (HelloIF) helloService.getPort(new QName(nameSpaceUri, portName),proxy.HelloIF.class);

System.out.println(myProxy.sayHello("Buzz")); } catch (Exception ex) { ex.printStackTrace(); }

}} 136

D II In v o c a t i o n M o d e l Gives complete control to client

programmer

Most dynamic but complex programming

Enables brokermodel Client finds (through some search criteria) and

invokes a service during runtime through a

broker

Used when service definition interface is notknown until runtime

You set operation and parameters during runtime

Has to create Callobject first

10/23/2004

10/23/2004


35/68

137

Ex a m p l e : D I I Cl i e n t package dynamic;

import javax.xml.rpc.Call; import javax.xml.rpc.Service; import javax.xml.rpc.JAXRPCException; import javax.xml.namesp ace.QName;

import javax.xml.rpc.S erviceFactory; import javax.xml.rpc.ParameterMode;

public class HelloClient {

private static String endpoint = "http://localhost:8080/dynamic-jaxrpc/dynamic"; private static String qnameService = "Hello"; private static String qnamePort = "HelloIF";

private static String BODY_NAMESPACE_VAL UE ="http://dynamic.org/wsdl";

private static String ENCODING_ST YLE_PROPER TY = "javax.xml.rpc.encodingstyle.namespace.uri";

private static String NS_XSD ="http://www.w3.org/2001/XMLSchema";

private static String URI_ENCODING =

"http://schemas.xmlsoap.org/soap/encoding/";

138

Ex a m p l e : D I I Cl i e n tpublic static void main(String[] args) { try { ServiceFactory factory = ServiceFactory.newInstance(); Service service = factory.createService(new QName(qnameService)); QName port = new QName(qnamePo rt);

Call call = service.createCall(port); call.setTargetEndpointAddress(endpoint);

call.setProperty(Call.SOAPACTION_USE_PROPERTY, new Boolean(true)); call.setProperty(Call.SOAPACTION_URI_PROPERTY,""); call.setProperty(ENCODING_STYLE_PROPERTY, URI_ENCODING); QName QNAME_TYPE _STRING = new QName(NS_XSD, "string"); call.setReturnType(QNAME_TYPE_STRING); call.setOperation Name(new QName(BODY_NA MESPACE_VA LUE "sayHello")); call.addParameter("String_1", QNAME_TYPE_STRING, ParameterMode.IN); String[] params = { "Duke!" };

String result = (String)call.in voke(params); System.out.println(result);

} catch (Exception ex) { ex.printStackTrace(); } } }

139

Bu i l d i n g a n d Ru n n i n g

Th ree Cl i en tP r o g r a m m i n g

M o d e l s

D e m o

140


Build and run client programs usingthree cli ent programming models Stub-based

Dynamic proxy

DII Compare the duration of call among the

three cli ent programming models

10/23/2004

10/23/2004


36/68

141

P a r t I I I :W e b S e r v i c e s Se c u r i t y &

W e b Se r v i ce s In t e r o p e r a b i l i t y

142

W eb Se rv i c e Sec u r i t yo ve r J2 EE

143

W e b Se r v i c e s Se c u r i t y I s su e s

? Authentication

? Authorization

? Integrity and confidentiality

?

Audit? Non-repudiation

144

W eb Serv i ce s Secu r i t y ove r J2EE

? Current? Leverages the existing transport-level securit y

models of J2EE

? Future? Foll ow XML and Web services securi ty standards

work? Message-level securi ty? Informati on about t he authentication policy

wil l be included in or available through theservice defini t ion (WSDL)

10/23/2004

10/23/2004


37/68

145

A u t h e n t i ca t i o n (a t Tr a n s p o r tl e v e l )

? Basic-authentication (with or withoutSSL)

? Symmetric HTTPS (Mutualauthentication)

146

StockQuoteService sqs = getStockQuoteService(..);

// Get the instance of stub object setting username &password

StockQuoteProvider sqp =sqs.getStockQuoteProviderPort(

"",

"");

float quote =

sqp.getLastTradePrice("ACME");

Ex a m p l e : B a si c A u t h e n t i c a t i o n

147

A u t h o r i z a t i o n

? Gets performed after authent ication Identityof a user is associated wit h t he request

after authentication

? Leverages the existing J2EE authorizationmodel? Servlet based endpoint

? who can access what web resources? Stateless session bean based endpoint

? who can perform what EJB methods

148

I n t e g r i t y & Co n f i d e n t i a l i t y

? Leverages HTTPS? SSL supports encrypt ion

? WSDL document ' s port address may specifyhttps:

? J2EE 1.4 vendors are recommended to

support? XML digit al signature for data integrity

? XML encryption for confidentiality

10/23/2004

10/23/2004


38/68

149

A u d i t i n g

? J2EE 1.4 vendors are recommended tosupport audit ing

? Future? Standard format for record format and

programming API sti ll need to be defined

150

N o n - r e p u d i a t i o n

? HTTPS falls short on non-repudiation? J2EE 1.4 vendors are recommended to

support non-repudiation logging? Future

? Standard mechanism for non-repudiati on l ogging

151

Ac ces si ng W eb se r v i c ev i a Ba si c A u t h e n t i c a t i o n(an d SSL en c r y p t i on )

D e m o

152

D e m o Sc en a r i o

Redeploying a Web service with Basicauthentication enabled through SunONE Studio 5

Running client application withoutpassing username and password - itshould fail with authorizati on failure

Running client application withusername and password

10/23/2004

10/23/2004


39/68

153

W e b Se r v i c e sSe c u r i t y St a n d a r d s

154

Point of int eract ion is more over the

internet(as opposed to within an intranet) Interaction between partners wit h no

previously established relationship

Program to programinteraction (as opposedto human to program interaction)

More dynamicinteraction (as opposed tostatic interaction)

Largernumber of services providers and users

W h y M o r e St r i n g e n t Se cu r i t y f o rW e b Se r v i c e s?

155

I ssu e s w i t h Cu r r e n t W e bSe c u r i t y Sc h e m e s SSL/ TLS/ HTTPS

Transport level security (as opposed to messagelevel securit y)

Point -to-point securit y only,does not handleend-to-end multi-hopped messaging security

Security only when data is on the wire, does notsecure data off the wire

HTTPS does not support non-repudiation

HTTP might not be the only transport used

No element-wisesigning and encryption156

XML Digital Signature

XML Encrypt ion

XKMS (XML Key Management Specification)

XACML (eXtensible Access Cont rol MarkupLanguage)

SAML (Secure Assertion Markup Language)

ebXML Message Service Security

WS-Security

Identity Management & Liberty Project

XM L & W e b S e r v i ce s Se c u r i t yS c h e m e s

10/23/2004

10/23/2004


40/68

157

XM L Si g n a t u r e

158

W h a t i s XM L D i g i t a l Si g n a t u r e ? Authentication, data integrity (tamper-

proofing), non-repudiat ion

Joint W3C/ IETF effort XML syntax for representing signature of web

resourcesand portions thereof

Procedures for computing and verifyingsuchsignatures

Canonicalizationof XML data

Trust in key is out-of-scope

Specs: W3C Recommendat ion, RFC 3075

JSR-105

159

W h y XM L D i g i t a l Si g n a t u r e ?

Very flexible, thus can support diverse setof internet transaction models Can sign individual items of a XML document

Can sign multiple items

Can sign both local and remote objects?

All ows detached signature that apply to remote,URI-referenced cont ent

Can sign both XML and non-XML content

Allows multiple levels of signing (different signingsemantics)to same content

? Sign, co-sign, wi tness, notarize, etc.

160

XM L En c ry p t i on

10/23/2004

10/23/2004


41/68

161

W h a t i s XM L En c r y p t i o n ?

Data privacy(Confidentiality) Defines

XML syntax for encrypted data

Encrypting/ decrypti ng such data

Can encrypt only certain parts of document

W3C Recommendat ion now

JSR 106

162

Ex a m p l e o f En c r y p t i o n ( O n l y c r e d i tc a r d e l e m e n t i s e n c r yp t e d ) Alice Smith ...

ABCD SharedKey A23B45C56

8a32gh19908 1

163

XKM S (XM L KeyM a n a g e m e n t Sp e c.)

164

W h a t i s XK M S?? XKISS: XML Key Informat ion Service Spec.

Aprotocolfor a trust service for resolving(validating) public keysused in XML Signatureand Encryption

Uses SOAP over HTTP

? XKRSS: XML Key Registrat ion Service Spec

Aprotocolfor a web service that acceptsregistrat ion, revocation, recovery of public keys

? XKMS defines protocolsbetween a client andXKMS server

10/23/2004

10/23/2004


42/68

165

W h y XK M S? PKI i s important to Web service

PKI is too complexto deal with in many

applications XKMSeases the integration of PKIby moving the

complexity of PKI operation to a XKMS server

PKI is too heavy for small devices XKMSreduces the processing burdenby moving it

to a XKMS server

So a XKMS server provides a Trust service(PKI Service) to XKMS clients in a form ofWeb service

166

XACM L( e Xt e n s i b l e A c ce s s Co n t r o l

M a r k u p La n g u a g e )

167

W h a t i s XA CM L?

Define core schema and namespace forauthorization policiesin XML: Used against XML elements in XML document

Extensible

Closely al igned wi th SAML effort Policy Decision Points (PDPs)involved in SAML

might consult policies encoded in XACML todetermine whether access will be granted to aresource

168

W h y XA CM L? Standardize access control language in XML

Extensible language wit h flexible semantics

Lower costs No need to develop app-specific languages

No need to wri te policy in several l anguages

Simpler Admins only need to understand one language

Policy composition Policies written by different parties can be

combined

0/ 3/ 00

10/23/2004


43/68

169

A patient has patient record includingpsychiatric notes

The pat ient grantsaccessright topsychiatric notesonly to primary caredoctor

The primary care doctor grants access topatient record to covering doctor, withaccess restriction foll owing thetransmit ted documents so that coveringdoctor has no access to psychiatric notes

XACM L Use Case

170

SAM L (Secur i t yA sse r t i o n M a r k u p

L a n g u a g e )

171

W h a t i s SA M L?

? Define an XML framework for exchangingauthentication and authorizationinformation Various XML security assertions: credentials,

authentication, attribute, authorization, etc...

Request & response prot ocol? EnablesSingle Sign-On (SSO)? OASIS Standard? JSR-155

172

W h y SA M L?? Standards are emerging for many

facets of collaborative e-commerce,such as: Business transactions (e.g., ebXML) Software interactions (e.g., SOAP)

? But communicating securitypropertiesof these interactions isntwell standardized Low interoperability between PMI solutions Tight coupling wit hin components

/ /

10/23/2004


44/68

173

U s e c a se s f o r s h a r i n g s e c u r i t yi n f o r m a t i o n t h r u SA M L

SAML developed three use cases to

drive its requirements and design: Single sign-on (SSO)

Distributed transaction

Authori zati on service

174

# 1 S i n g l e S i g n O n ( SSO )? Logged-in (authenticated) users of Smith.comare

allowed to access to sister site Johns.comwithoutrelogin

Smith.com

Johns.com

Authenticate

S AM LA s s e r t i o nR e s p o n s e

Use securedresource without re-login

S AM LA s s e r t i o nR e q u e s t

175

# 2 D i st r i b u t e d Tr a n s a c t i o n? A car buyer also purchases an auto insurance from

insurance.comwhich is affil iated withcars.com

cars.com

insurance.com

S A M LA s s e r t i o nR e s p o n s e

Buy a car

Buy insurance


176

# 3 A u t h o r i za t i o n Se r v i ce? An employ ofWorks.comorders offi ce supplies

directl y from Office.com, which performs its ownauthorization

Works.com

Office.com

S A M LA s s e r t i o nR e s p o n s e

Employee ofWorks.com


10/23/2004


45/68

177

SA M L A ss e r t i o n s Assertions are declarationsof fact, according

to someone

SAML assert ions are compounds of one ormore of three kinds of statementaboutsubject (human or program) Authentication

Attribute

Authorization

178

A u t h e n t i c a t i o n st a t e m e n t

? An issuing authority asserts that

subject Swasauthenticated bymeans M

at time T

? Targeted t owards Single Sign Onuses

179

Ex a m p l e a sse r t i o n w i t ha u t h e n t i ca t i o n st a t e m e n t

(At time T) (Subject S)

http://core-25/sender-vouches

180

A t t r i b u t e st a t e m e n t

? An issuing authority asserts that

Subject Sis associated with

attributesA, B, with valuesa, b, c

? Useful for distributed t ransact ions and

authorization services

10/23/2004


46/68

181

Ex a m p l e a s se r t io n w i t h t w oa t t r i b u t e st a t e m e n t s

..Sang..

(with value a) PaidUp (with value b) 500.00

182

A u t h o r i za t i o n s t a t e m e n t? An issuing authorit y decides

whether to grantthe request bysubject S

foraccess type A toresource R

givenevidence E

? The subject could be a human or aprogram

? The resource could be a web page or aweb service, for example

183

Ex a m p l e a s se r t i o n w i t ha u t h o r i z a t i o n s t a t e m e n t

(for res. R) (by Subject S) Read (for access type A)

184

Pr o t o c o l f o r Re q u e s t i n g &R e ce i v i n g A s se r t i o n s

Asserting Party (Issuing Party)

Relying Party (Requesting Party)

SAML AssertionRequest

SAML AssertionResponse

10/23/2004


47/68

185

WS-Secur i t y

186

WS-Secu r i t y Spec i f i ca t i on

Set of SOAP extensions for end-to-end SOAPmessagingsecurity

Security schemes at message level

Signing and encrypting SOAP messages byattaching securi ty t okensto SOAP messages

Any combination of message parts: Header blocks,body, att achments

187

W S-Se c u r i t y Si g n a t u r e M o d e l

Securi ty Token- Collection of (authority certified) claims

Signature- Establishes signer identi ty, content int egrity

- Dependent on key binding claim

Securi ty Token Reference- Identif ies securit y tokens to satisfy key

binding dependencies

- May encapsulate securit y t oken

Data Reference- Identif ies input to digest algorithm

188

XM L D i g i t a l Si g n a t u r eB o u n d t o S O AP

Key Binding

Security TokenReference

SOAP Envelope

WS-Security Header

Security Token

Signature

KeyInfo

SignedInfo

Data Reference

Data Reference

SignatureValue


Security Token

Claims

SOAPBody

10/23/2004


48/68

189

W S -Se c u r i t y En c r y p t i o n M o d e l

Reference List- Identifies encrypted content

Encrypted Data- Encapsulates encrypted content

- May depend on key binding claim toidentify encryption key

Encrypted Key

- Conveys encrypted key and Reference List

- Dependent on key binding claim

190

XM L En c r y p t i o n B o u n d t o SO A P(Us ing Re fe rence L i s t )

SOAP Envelope

WS-Security

Header

DataReference

Reference List

Encrypted Data

Cipher Data

MessageContent

SOAPBody


KeyInfo

Key Binding

Security Token

191

XM L En c r y p t i o n B o u n d t o S OA P( U si n g En c r y p t e d K e y )SOAP Envelope

WS-SecurityHeader

Key Binding

Security TokenSecurity Token

Reference

KeyInfo

EncryptedKey

Data ReferenceData Reference

ReferenceList

Cipher Data

Key

Encrypted Data

Cipher Data


Security Token

Claims EncryptedData

Cipher Data

MessageContent

SOAPBody

192

H o w Th e y W o r kT o g e t h e r

10/23/2004


49/68

193

SA M L a n d O t h e r St a n d a r d s

SAML and XML DSigXML DSig is used for digitally signing and

canonicalizingSAML assert ions

Authenticating, tamper-proofing (integrity),non-repudiat ing SAML assert ions

SAML and XML Encrypt ionXML Encrypt ion is used for encrypting and

decryptingSMAL assertions

Enforcing privacy (confidentiality) of SAMLassertions

194


SAML and XKMSSAML traffi c could be secured by XKMS-based

PKI(or by other PKI implementation, or byother means entirely)

SAML and XACMLXACML could be used to define access

control/ policy as a basis for handl ing SAMLassertion request

195


SAML and WS-SecuritySAML Assertions can be carried as security

tokensdefined in WS-Security

SAML and Libert y Project

SAML is used as security informationexchange protocol among Liberty participants

10/23/2004


50/68

197

Id e n t i t y M a n a g e m e n t &Li be r t y P ro j ec t

198

P o ss ib l e I d e n t i t y S o l u t i o n s

S i n g l e I d e n t i t yO p e r a t o r

C e n t r a l i z e dM o d e l

F i n a n c i a l S v c sC u s t o m e r

C o m m u n i t y

O n l i n eC o m m u n i t y

T e l e c o m m u n i c a t i o n sC o m m u n i t y

T ravelC o m m u n i t yE n t e r t a i n m e n t

C o m m u n i t y

R e t a i lC o m m u n i t y

W i r e l e s sC o m m u n i t y

O p e n F e d e r a t e dM o d e l

199

P l a y e r s i n Fe d e r a t e d I d e n t i t y M o d e l

Pr o v id e r s t h a ta r e e q u a l a n di n t e r o p e r a b l e

C o n t r o l o v e ro w n e r s h i p

a n d d i s c l o s u r e

M a n a g e p r i v a c ya n d p r e f e r e n c es

MultipleIdentity

Providers

MultipleService

Providers

Individualswith

MultipleProfiles

200

Ci r c l e s o f T rus t

PrimaryTrust

Authority( m y c o m p a n y )

AcctsPayable

App

PrimaryTrust

Authority(e.g. , my bank)

Calendar

NIEnabled

Merchants

NIEnabledServices

SupplyChain

Aggregator

NIService

Aggregator

Name:

ID

Preferences:

.

Name:

ID

Preferences:

.

WorkProfile

HomeProfile

SupplierA

SupplierB

SupplierC

NewsSource

NewsSource

NewsSource

Employee Circle of Trust

Consumer Circles ofTrust

ExternalServices

ExternalServices

ExternalServices

ExternalServices

ExternalServices

ExternalServices

Secondary

TrustAuth ori ty

(e.g., my airline)

Friends &

FamilyNoti f ication

10/23/2004


51/68

201

Ev o l u t i o n o f I d e n t i t y N e t w o r k s

Separate loginfor each site

Separate loginfor each network

Seamless loginacross networks

202

W S-I & W eb Ser v i ceI n t e r o p e r a b i l i t y

203

W S-I I s

An open industry effort chartered to promoteWeb Services interoperabilityacross platforms,applications, and programming languages.

The organization brings together a diverse

community of Web services leaders to respond to

customer needs by providing guidance,recommended practices, and supportingresources for developing interoperable Webservices.

204

W S-I I s N o t

? Is nota source of WS-* specs? These have typically been proprietary

specifications from single or small groups of

companies, though a few have beensubmitted to recognized standards

organizations? Is not a standards organization

? Doesnt produce specs for new technology

? Profiles existing specifications

10/23/2004


52/68

205

B a s i c P r o f i l e 1 . 0

? Profiling SOAP 1.1, WSDL 1.1 and UDDI 2.0

? Consists of 156 conformancerequirement

48 related to SOAP

84 related to WSDL

8 related to UDDI

6 related to security

206

W S-I S u p p o r t i n J2 EE 1 . 4

? Package WS-I BP 1.0-conforming WSDLdocuments in your J2EE1.4 application

? Containers will take care of all thedetails:? HTTP 1.1 requirements

? SOAP 1.1 requirement s

? WSDL 1.1 requirements

? UDDI 2.0 requirements (if supported)

207

Su p p l y Ch a i n M a n a g e m e n tSa m p l e A p p l i c a t i o n

UDDI

Configurator Warehouse A

RetailerWeb Page

Warehouse B

Warehouse C

Manufacture A

Manufacture B

Manufacture C

Retailer

10/23/2004


53/68

209

W SD L D e s cr i p t i o n s

210

Te s t i n g To o l s

Monitor

AnalyzerLog File Results

WebServiceClient

WebService

211

A n a l y z e r

XSLT

TestAssertionDocument

WSDLDocument

UDDIDocument

ConformanceReport

Analyzer

AnalyzerConfg File

MessageLog

212

W S-I Sam p leA p p l i c a t i o n ,M o n i t o r , A n a l y ze r

D e m o

10/23/2004


54/68

213

D e m o S c e n a r i o

Running WS-I Supply Chain Managementsample appli cat ion over serviceendpoints from various companies overthe int ernet

? Sun, IBM, BEA, Oracle

Running Monitor and Analyzer

214

P a r t I V :e b X M L & U B L,

O n g o i n g W e b Se r v i ce s St a n d a r d s

215

B u s i n e s s

W e b S e r v i c e s

216

Fa c t A b o u t e -Co m m e r c e

E - c o m m e r c e m e a n s B 2 B .A n d E D I a c co u n t s f o ra b o u t t h r e e -f o u r t h s o f i t

U.S. E-commercein 2000

U.S. E-commercein 2006

Source: U.S. Census Bureau Source: U.S. Forrester

B2B $12,275.5bn (95.6%)

B2B $990bn (93.8%)

B2C $66bn (6.2%) B2C $561.8bn (4.4%)

10/23/2004


55/68

217

Th e n e x t b i g t h i n g i s B u s i n e s s W e bServ i ces? J2EETM

? Service implementation platform standard? ebXML and UBL

? Business web services standards

? Liberty Project? Identity system standard

? Java and XML? Programming language and data

representati on standards218

Bus i ness W eb Se rv i ces (B2B)A r ch i t e c t u r a l Co m p o n e n t s ( e b XM L)

B2B coll aborat ion

Secure and reliable message delivery Non-repudiation

Partner profile

Repository for business data objects

Standard and commonly agreed uponbusiness documents

219

B2B Collaboration

Sim p l e We b S e rv ices (W US ) vs .B 2 B Co l l a b o r a t i o n ( e b XM L)

l Simple interactionl Consumer orientedl Short-living processl No business

collaborationl

No partner profilel Not secure, not

reliablel Does not support

non-repudiationl No repository

supportl Synchronous

l Complex interactionl Business orient edl Long-running processl Supports business

collaborationl

Supports partnerprofilel Secure and reliablel Supports non-

repudiationl Registry and

repositoryl Asynchronous

Simple WebServices

220

B2B Collaborati on

EA I vs . B 2B Co l l abo ra t ion (ebXM L)

l Within a businessorganization

l Centralizedcontrol

l Implicit contractl Small number of

businessprocesses andparticipants

l Between businessorganizations

l Distributedcontrol

l Explicit contractl Potentially l arge

number ofbusinessprocesses andparticipants

EAI

10/23/2004


56/68

221

Universal Business

Language (UBL)

Defines a library of standard electronic

business documents Plugs directly into existing traditional

business and legal practices

Eliminates re-keying of data in existingfax-based supply chains

Fills the payload slot in B2B frameworkssuch as the UN/OASIS ebXML initiative(http://ebxml.org) and various WS schemes

222

EDI , ebXM L, UBL

Business Agreements

Business Processes

Packaging/Transport

Standard Messages

Message Conceptualization

ad hoc TPA

CASE tool

VAN

X12, EDIFACT

ImplementationGuidelines

ebXML CPA

ebXML BPSS

ebXML SOAP

UBLSchemas

UBL ContextMethodology

ebXML Infrastructure(+ Registry/Repository)

UBL Payload

EDI B2B Web B2B

223

W e b Se r v i c e s

St a n d a r d s A c t i v i t i e s

224

W 3 C

XML, XML Schema, XSL, XQuery SOAP WSDL Web Services Addressing Web Services Choreography

Semantic Web Services SOAP Message Transmission Optimization

Mechanism (MTOM) XML Key Management Specif icat ion (XKMS) XML Signature XML Encrypt ion

10/23/2004


57/68

225

OASIS

Asynchronous Service Access Protocol (ASAP)

Business Transact ion Prot ocol (BTP) *

Electronic Business XML (ebXML) * Framework for Web Services Implementation

Translat ion Web Services Web Services Business Process Execution Language

(WS-BPEL)

Web Services Composition Application Framwork(WS-CAF)

Web Services Distributed Management (WSDM)

Web Services Interacti ve Appli cation (WSIA)

226

O A SI S ( Co n t i n u e d )

Web Services Notification (WSN)

Web Services Reliable Messaging (WSRM)

Web Services Resource Framework (WSRF) Web Services for Remote Port lets (WSRP)

Web Services Securi ty (WSS) * Universal Descript ion, Discovery and Integration

(UDDI) *

Universal Business Language (UBL) * Security Asserti on Markup Language (SAML) * Extensible Access Control Markup Language

(XACML) *

227

Jav a Bu si n es s I n t eg r a t i on

(JBI)

228

W h a t i s SO A ?

P r i n c i p l e s a n d p r a c t i c e s f o r d e s i g n i n gs h a r e d , r e u s a b l e , d i s t r i b u t e d s e r v i c e s

SOA Attributes: Separat ion of service int erface from

underlying implementat ion (loose

coupling) Promotes service reuse through

discoverable and self-describing services

Services are course-grained, composable,and rely on a standards basedinfrastructure

10/23/2004


58/68

229

Web Se rv i ces Ena b l es SOA

You can practice SOA without Webservices... but..

Web services is the best enabler ofSOA Service interface hides service implementation

Reusable

Discoverable

Compose'able

Standard-based

Industry momentum230

SOA Support in J2EE Platform

Begins with J2EE 1.4 platform-based

Web services Continues with J2EE 5.0 platform

enhanced Web services

J2EE 5.0 platform extended with JSR208 (Java Business Integration) SOA Core

Extensible Service Engines

Extensible Binding Components

231

J2EE Platform+Java Business

Integration = Integration Server

232

SOA Platform

10/23/2004


59/68

233

A Service

234

D o c u m e n t - S t y l eW eb Ser v ice s (vs . RPC)

235

Document-style

R PC v s . D o c u m e n t -s t y l e

l Procedure cal l

l Method signature

l Marshaling

l Tightly-coupled

l Point to point

l Synchronous

l Typically withinIntranet

l Business documents

l Schema

l Parsing & Validat ing

l Loosely coupled

l End t o end

l Asynchronous

l Typically overinternet

RPC

236

Document-style

W h e n t o u se W h i c h m o d e l ?

l Within Enterpri se

l Simple, point-to-point

l Short runningbusiness processl Reliable and high

bandwidthl Trusted

environment

l Between enterpri seand enterprise

l Complex, end to endwith int ermediaries

l Long runningbusiness process

l Unpredictablebandwidth

l Blind trust

RPC

10/23/2004


60/68

237

? Use of document/literalSOAP

message (instead of RPC/encoding)? SOAP body contains XML document, i.e.

Purchase order

? Specified via style and use attribute in

WSDL document

? Use of Attachments? Attachment contains XML document

? Specified via MIME binding in WSDL document

D o c u m e n t - S t y l e W e b s e r v i c e sSuppo r t i n JAX-RPC

238

Fas t W eb Ser v i ce

239

Cu r r e n t Pe r f o r m a n c e D a t aLoopback request/response latency

JAX-RPCencoded

JAX-RPCliteral

RMI/IIOP RMI0

2.55

7.510

12.5

15

17.520

22.5

25

Protocol vs. Time (ms)

20 elements

Protocol

Time(ms)

240

JAX-RPCencoded

JAX-RPCliteral

RMI/IIOP RMI0

5001000150020002500

300035004000450050005500

Protocol vs. Size (bytes)

20 elements

Protocol

Size

(bytes)

Cu r r e n t P e r f o r m a n c e Da t aMessage size

10/23/2004


61/68

241

M a i n Go a l s

Provide much bett er performance

Standards for Fast Web Services

- Interoperability

Take advantage of JavaWebServices stack

- Fast implementat ion in stack

Minimize impact to Web Servicedevelopers- Stack will hide the details

242

Application

Protocol andData Binding

Transport

Th e B i g P i ct u r e

Application

Protocol andData Binding

Transport

Unchanged

Can Change

WSDL

243

Te c h n i c a l Go a l s Cut overhead of XML processing

- SOAP message size

- Marshaling to programmatic types

Maximize use of APIs, tools and standards- JAX-* APIs, WSDL

Support for J2ME, J2SEand J2EEtechnologies- JSR-172, Web Servi ces for J2ME

- End-to-end support

Platform and programming languageindependent

244

Use Cases

Web Services within the enterprise

Time- and resource-sensitive systems

- Mobile phones

- Satellites

High-performance computing- Grid computing

- Scientif ic computing

Example: Auto-ID

10/23/2004


62/68

245

Technological Requirements

Optimized encoding technology

- Fast infoset, Fast schema and Fast SOAP

- Not specific to application

Proven use in network communications

- Large-scale deployment

Platform and programming languageindependent

Existing standards

- Royalty-free and open

246

V a n i l l a XM L En c o d i n g

SOAP and XML have limitations

- Larger message size- Inefficient data representation

- Marshaling requires more CPUprocessing

XML is highly self-describing, butthere is a price for this:performance

247

Th r e e La y e r s o f O p t i m i za t i o nO p p o r t u n i t y

Transport layer- Mechanism: compression

- Unit: bytes

XML information setlayer

- Mechanism:binary XMLrepresentation- Unit : DOM, SAX or Pul l API

Schema bindinglayer

- Mechanism:binary datarepresentation

- Unit: programmatic types248

V a n i l l a X M L P ip e l i n e

CompressibleBytes

Infoset

Binding

Transport

XML 1.0 Bytes

SAX/DOM/Pull

Types

10/23/2004


63/68

249

Fa s t I n f o s e t P i p e l i n e

CompressibleBytes

Infoset

Binding

Transport

XML Infoset Binary Bytes

SAX/DOM/Pull

Types

250

Fa s t Sc h e m a P i p e l i n e

CompressibleBytes

Binding

Transport

Types

Schema-optimized BinaryBytes

Schema

Knowledge

251

Ex a m p l e : Sc h e m a Fr a g m e n t

252

XM L a n d Fa s t Sc h e m a En c o d i n g

string

12345678

true

string

12345678

true

XML Fast Schema

7B

4B

1b

25B

29B

25B

10/23/2004


64/68

253

Fa s t P e r f o r m a n c e D a t a

JAX-RPCencoded

JAX-RPCencodedFast infoset

JAX-RPCliteral

RMI/I IOP JAX-RPCFastschema

RMI0

2.55

7.5

1012.5

1517.5

2022.5

25

Protocol vs. Time (ms)20 elements

Protocol

Time(ms)

Loopback request/response latency

254

Fa s t P e r f o r m a n c e D a t a

JAX-RPCencoded

JAX-RPCencodedFast infoset

JAX-RPCliteral

RMI/I IOP JAX-RPCFastschema

RMI0

5001000150020002500300035004000450050005500

Protocol vs. Size (bytes)20 elements

Protocol

Size(bytes)

Message size

255

Schema language for abstract type system

Multiple encoding rules

? Types are independent of encoding

Royalty-free set of standards at ITU-T/ISO

In development for nearly 20 years

Extensively used in telecom industry

Implementations in Java, C and C++programming languages

ASN.1

256

Fast Encoding and ASN.1

Fast infoset encoding

- ASN.1 Schema for XML infoset

Fast schema encoding

- W3C XML Schema to ASN.1 mapping

Fast SOAP encoding- ASN.1 Schema for SOAP

Packed Encoding Rules (PER)

- Most compact and CPU efficient

- Other rules could be used (e.g., DER)

10/23/2004


65/68

257

Fast W eb Ser v ice

D e m o

258


Comparing regular Web service and fastWeb service performance in real time

using different size of the messages

259

M e t a d a t a -d r i v e n

W eb Ser v ice (JSR 18 1)

260

Goals

? Simplify Web services development anddeployment dramatically

? Leverage Java Language Metadatatechnol ogy (JSR 175)? provide an easy to use syntax for describing web

services at the source-code level

? Use standard Java compi ler (J2SE 1.5)? Validate Web services metadata

? Produce class fil es containing metadata

? Allow Web services metadata to bemanipulated by tools

10/23/2004


66/68

261

Goals? Enable auto-deployment

? Like JSP deployment

? Abstract away details of Web Serviceimplementation and deployment? Prot ocols, WSDL, service endpoint s, XML/ Java

mapping, message format s, deployment descriptors,packaging

? Built over existing Web services APIs andtechnologies? Hide low-level programming APIs for Web services

components and J2EE

? Like JSP hides compl exit y of Servl et262

JSR 181

? JavaWeb Service (JSR 181 WS) file is central? Both source and compiled form

? Web Service metadata annot ates 181 WS fi le

? 181 WS fi le is a standard Javasource file

? JSR 175 used to represent metadata (J2SE 1.5)? A Javalanguage extension with compiler support

? Define Metadata vocabulary for application area? Web Services (JSR 181 defines vocabulary)

? Metadata in class file and available at run-time

263

An Example (Part of a 181

WS File)@Protocol (httpSoap=true, soapStyle=documentLiteral)@TargetNamespace

(namespace=http://schemas.myDomain.com/ws/)

public class MyWebService{ @Operation public double zipDistance (String fromZip, String

toZip){ . . .

return distance.getDistance(fromZip, toZip); } . . .}

264

W e b Se r v i c e s

T r a n s a c t i o n

10/23/2004


67/68

265

Tr a n s a c t i o n f o r W e b s er v i ce s

Web services have dif ferent characterist ics Long running business process

Mult i enterprise and distr ibuted (no singleTransaction manager is present)

ACID properties need to be loosened up forWeb services Traditional locking cannot be used for long

running process

BTP (Business Transaction Protocol) fromOASIS

266

J2 M E &W e b Se r v i c e s

267

JSR-172

Parsing

J2ME Web services client

J2ME device

Configuration

Profile

JSR 172

xml/http

Web Services

268

JAX-RPC Sub se t Ove rv i e w

Subset of JAX-RPC 1.0

Additionally specifies runtimeSPI-portable stubs

No support for the service endpointmodel. The subset only provides support

for clients to access web serviceendpoints.

Ali gnment with WS-I Basic Profi le

Prot ocol encoding: SOAP 1.1 using XMLbased protocol

10/23/2004


68/68

269

J2M E W eb Ser v ice

D e m o

270


Building and running J2ME Web serviceclient application (through an emulator)

using Sun ONE Studio 5

271

Th a n k Yo u !

Date post:	04-Jun-2018
Category:	Documents
Upload:	vijaykumar015
View:	216 times
Download:	0 times

Web Services Programming 1 Day 4

Documents