Thursday, December 20, 2007

SOAP

We are now ready to discuss SOAP. SOAP is a unidirectional, XML-based protocol for
passing information. (As of draft version 1.2, SOAP is no longer an acronym.) Despite
being unidirectional, SOAP messages can be combined to implement
request/response processes, or even more sophisticated interactions. In addition to the
sending and the receiving nodes of a SOAP message, SOAP message routing includes
intermediary nodes. SOAP intermediaries should not be confused with intermediaries
in any underlying protocol. For instance, HTTP messages may be routed through intermediaries.
However, these intermediaries are not involved in the processing of SOAP
messages. SOAP intermediaries play a role in the handling or processing of a message
at the application level.
SOAP describes an XML-based markup language “for exchanging structured and
typed information.” The information passed in a SOAP message can either represent
documents or remote procedure calls (RPCs) that invoke specific procedures at the service
provider. A SOAP document could be a purchase order or an airline reservation
form. On the other hand, an RPC can invoke software to charge a purchase. There are
no clear guidelines to determine when a document or an RPC should be used. The system
designer will make this decision.
Web Services using SOAP have gained popularity very quickly. The concept of an
XML RPC was created in 1998 by David Winer of Userland Software. The XML-RPC
specification was released in 1999 and was the work of Winer, Don Box of Develop-
Mentor, and Mohsen Al-Ghosein and Bob Atkinson of Microsoft. While the specification
was published as XML-RPC, the working group adopted the working name
SOAP. Soon after, SOAP .9 and 1.0 were released. In March 2000, IBM joined the group
and worked on the SOAP 1.1 specification. The 1.1 version was adopted by the W3C as
a recommendation. SOAP version 1.2 currently exists as a series of working drafts
(W3C 2002e, W3C 2002f). In addition to the working drafts, there is a SOAP 1.2 Primer
(W3C 2002d) that takes the information in the working drafts and describes SOAP features
using actual SOAP messages.
The discussion in this section is based on the SOAP 1.2 working drafts. The discussion
is not meant to be all encompassing and is a brief overview of the protocol. The
reader should consult the W3C drafts or other books on SOAP to get further details.
As with any other protocol, there are two portions to the SOAP Protocol: a description
of the messages that are to be exchanged, including the format and data encoding
rules, and the sequence of messages exchanged. As the reader will see, there isn’t a lot
of specificity to SOAP. This is by design. Rather than overspecifying and trying to
anticipate every possible outcome, the SOAP designers took a minimalist approach.
SOAP specifies the skeleton of a message format—very little else is required. This
approach allows messages to be tailored to application-specific uses. In addition to the
protocol, there are protocol bindings that describe how SOAP can be transported using
different underlying transport protocols. Currently, HTTP is the only underlying protocol
with a binding referenced in the SOAP specification, but others are possible and
not excluded by the specification.
SOAP Message Processing
The two main nodes in processing a SOAP message are the initial message sender and
the ultimate message receiver. In addition, SOAP intermediaries, who are message
receivers that later forward the message toward the ultimate receiver, also have a role
in the processing of a SOAP message. For instance, in Figure 2.3, the buyer’s system
may send a purchase order to the seller via the buyer’s accounts payable system. The
accounts payable system records the details of the purchase so that, when an invoice
from the seller is received, the information needed to authorize a payment is already
entered. The accounts payable system is an intermediary. When the accounts payable
system completes its tasks, it is responsible for transmitting the purchase order to the
seller.
The buyer’s system can target portions of the SOAP message at different receivers.
The body of the message is, by definition, intended for the ultimate receiver of the message.
Other receivers may examine the body and process information in it but must not
modify it. The ultimate receiver must be able to understand and process the body. If it
can’t process the message, a SOAP fault is generated and returned to the sender. Unlike
the message’s body, elements in the message’s header can be:
■■ Explicitly targeted at specific receivers via a URI
■■ Targeted at a receiver based on its relative position in the processing chain
■■ Targeted using some application-defined role
Except for the ultimate receiver, all other receivers of the SOAP message are SOAP
intermediaries. When a URI is used, the URI can specify a unique and concrete
receiver, say by using a URL receiver.
When the relative position is used to specify a target, two predefined roles, next and
ultimateReceiver, are available. Next is a role assumed by the next receiver of a message.
UltimateReceiver is the ultimate receiver of the message. If no role is associated with the
element, the ultimate receiver is assumed to be the target.
A third predefined role, none, indicates that no receiver should process the element.
An element targeted at none may not be processed by any receiver but may contain
data that is examined in the course of processing other elements.
The third option for targeting a header element is application specific. But, it will
probably be used to target header elements to nodes performing an application-specific
function, such as manager or accounting.
It is possible for a receiver to fill more than one role. For instance, an element could
be targeted at a receiver based on a URL and based on its role as the next receiver.
The creator of the header element can specify that the targeted receiver must process
the header or whether it is acceptable for the targeted receiver to ignore the header element.
If the targeted receiver must process the header, it is said that the receiver must
understand the header. If there is a requirement to understand the element but the
receiver does not understand it, the receiver must stop all processing of the message
and return a SOAP fault code. By marking a header as must understand, the creator
can force a receiver to process the header. This is useful for making sure that securityrelated
information is properly processed.
Processing order
SOAP prescribes an order for processing the SOAP-specific parts of a message. This
description follows the SOAP version 1.2 Part 1: Messaging Framework (W3C 2002e). Processing
of the SOAP message must be performed as though it were done in the following
order. First, the receiver must decide what roles it will play. Is it only the next
receiver or is it also the ultimate receiver? The node can use information contained in
headers or the body to make the decision.
Next, the node must identify header elements targeted at it and that it must understand
and decide whether it can process these blocks. If it cannot, all processing must
end and a SOAP fault generated. For the ultimate receiver, processing of the body
should not be considered at this step in deciding whether to generate a fault.
If all mandatory headers can be processed, the node should process the headers and,
in the case of the ultimate receiver, process the message body. The node can choose to
ignore header elements that are not mandatory for it to process. Other faults may be
generated during this phase.
Finally, if the recipient is an intermediary, it must remove header elements targeted
at it, insert any new header elements needed, and pass the message on to the next
receiver with the body unmodified.
Open items
After this description of SOAP message processing, you may be curious to know:
■■ How does a receiver know what role it is playing? The recipient of a message is
always the next receiver, but is it also the ultimate receiver?
■■ How does a receiver decide what order it is going to use to process the headers?
■■ How does a node know who the next receiver is so that the message can be
routed to it?
These are all very good questions, but the SOAP specification does not answer them.
These decisions can be determined using some algorithm programmed into the application,
or determined by some other method that is outside the scope of SOAP.
Once these decisions have been made, instructions that reflect the answers can be
contained in the headers of the message itself. For instance, the originator of the message
can include routing information and more detailed processing instructions in the
header. Or each node can insert instructions for the next.
Message Format
The basic minimal form of a SOAP message is shown in the XML document below. A
data encoding using only built-in types and no additional definitions or declarations is
recommended in the specification. This minimal schema allows SOAP message validation
without XML Schema documents. However, application-specific XML schemas
are allowed, which may require additional validation. DTDs are explicitly disallowed.
Each SOAP message is identified as an XML 1.0 document that has one element with
the local name envelope. It is qualified with the namespace http://www.w3.org
/2002/06/soap-envelope. Besides qualifying the namespace as a SOAP namespace, the
URL identifies the version of SOAP used. In this discussion, we use the June 2002 version
of SOAP 1.2. Attributes are also qualified by the soap-envelope namespace. The
envelope has child elements of an optional header and a required body that we will
describe later.



...


...


Beyond what we have just discussed, there are no required elements within the
SOAP envelope that convey the meaning or intent of the message. There is no requirement
to include the identity of the sender or the receiver, the time or date the message
was created, or a message title. It is expected that each application will define these elements,
if they are required.
While the SOAP specification describes how an RPC can be represented in a SOAP
message, there is no requirement to use the representation described. And, even if the
encoding is used, there is no indicator in the message itself that the message body represents
an RPC. With the exception of guidance on how to encode arguments to an
RPC, the receiver is left to determine how to interpret the contents of the message. It is
expected that the receiver does this, in part, through the use and understanding of
namespaces that associate elements and attributes with the application implemented
by the receiver.
SOAP Message Header
A SOAP Message Header, shown in a modified version of the message from above, is
an optional part of a SOAP message. Its local name is header, and it is qualified using
the same namespace as the envelope, http://www.w3c.org/2002/06/soap-envelope. The
header can contain zero or more namespace-qualified child elements. Two attributes,
role and mustUnderstand, can be associated with child elements of the header. In the
example, hdr1, is qualified in the www.widgets.com/logging namespace.



sec:role=”http://www.w3.org/2002/06/soapenvelope/
role/next”
sec:mustUnderstand=”true”>
...



...


Unlike the message’s body, which may not be modified, the message’s header is a
dynamic part of the message. Intermediaries are required to delete header elements
targeted at them and can add header elements as needed. Adding the same header
back in that was deleted is acceptable.
Role
SOAP header elements are targeted at SOAP nodes. A node performs some function
in processing or routing the message. The value of the SOAP role attribute can be
designated explicitly via a URI or relatively via three predefined values, next, ultimateReceiver,
or none. These relative values correspond to the roles described previously
in the section on SOAP message processing. That is, if the header is targeted at
next, then the next receiver processes the header. If the header is targeted at the ultimateReceiver,
then the ultimate receiver processes the element. Finally, if none is the role
targeted, no receiver processes the element. If no role attribute is specified, the default
is UltimateReceiver, the ultimate receiver. In the example above, the header is targeted
at the next recipient. The namespace of the header hints that the header is targeted at a
logging intermediary that will log the order before it goes to the seller.
Each header element will be processed by at most one role. However, nodes playing
other roles may examine headers not targeted at them. If the node is an intermediary,
it must delete from the message any header elements targeted at it and may add other
header elements for subsequent receivers before passing it on. It is not considered a
fault if the ultimate receiver receives the message and there are header elements that
are not targeted at it. Areceiver must decide for itself whether it is the next receiver or
the ultimate receiver.
MustUnderstand
Besides identifying a header element as intended for a particular receiver, the creator
of a header element may designate that the targeted receiver mustUnderstand it. In
other words, the receiver must know what to do with the header. The receiving software
must understand the semantics of the names in the header element and be able to
process the element accordingly. The header in the previous example, hdr1, must be
understood by the recipient. If the header namespace is not known to it, the receiver
must stop processing the message. Ideally, the processing node should return a SOAP
fault to the requester. But, depending on the protocols used and the routing, there are
conditions where this is not possible.
SOAP Message Body
A message body must have the local name of body. It must be associated with the
http://www.w3c.org/2002/06/soap-envelope namespace. Child elements are optional, and
multiple child elements are allowed. No body-specific attributes are defined. The message
body is targeted at the ultimate receiver, who must understand the body.
Remember that SOAP is a unidirectional protocol. It is often difficult to keep that in
mind. It is natural to think of SOAP as a request/response protocol. But, there is no
requirement to return a response for a message received. Still, message body child elements
have been defined that are the logical consequence of certain inputs. Because of
this, our discussion of the message body will be divided into request message body
elements and response message body elements. However, the reader should keep in
mind that the SOAP protocol regards communication in each direction as separate and
unrelated events. A discussion of the options for returning a response to a SOAP
request is discussed in the section on protocol bindings.
Request message body elements
A SOAP request message body may contain zero or more child elements. If multiple
child elements are present they can represent a single unit of work, multiple units of
work, or some combination of work and data. Request body elements can be divided
into two categories, document type and RPC type. The distinction is subtle. There is
nothing that distinguishes an RPC message body from a document body.
Document body elements are analogous to paper documents. Most likely, they will
be forms that have an understood structure such as purchase orders, invoices, itineraries,
or prescriptions. In order for the document to be processed correctly, it is important
that the ultimate receiver be cognizant of the namespace that defines the elements
of the document.
RPC message bodies are XML-based remote procedure calls. SOAP Version 1.2 Part
2: Adjuncts (W3C 2002f) describes how to encode data structures used by programming
languages to convey parameters in procedure calls. SOAP does not mandate the use of
these encoding rules and acknowledges the possibility of using other encoding rules.
However, use of other encodings will adversely impact the interoperability of the RPC.
Two options exist for encoding the arguments of an RPC. First, the SOAP RPC invocation
can be a struct where the name of the struct corresponds to the procedure or
method name. Each input or in/out argument to the procedure is a child element
structure with a name and type corresponding to the name and type of the parameter
in the procedure signature. The second RPC encoding method is to encode each argument
as an element of an array. The name of the array corresponds to the name of the
procedure and the position in the array corresponds to the position in the argument
list. If problems occur, several RPC specific faults have been defined which will be
described later.
The following example invokes an RPC called buy. This RPC is in the form of a
structure and takes two arguments, the order and the shipInfo. Note that there is no
explicit indication that this is an RPC invocation.



sec:role=”http://www.w3.org/2002/06/soap
envelope/role/next”
sec:mustUnderstand=”true”>
...



env:encodingStyle=”http://www.w3.org/2002/06/soapencoding”>
currency=”USdollars”>
4567
6
3.25
19.50


My Company
234 Main St.
Boston
MA




Response message body elements
The content of response message bodies can be documents, RPC responses, or a SOAP
fault. Just as a document can be received, a document can result from the receipt of a
document. For instance, a reservation request can result in the creation of an itinerary.
Using SOAP to transmit a document has already been described, so the discussion will
not be repeated here.
The response to an RPC can be a structure or an array. The name of the structure is
identical to the name of the procedure or method that is returning the information. If
the procedure or method returns a value, it must be named result, and it must be namespace
qualified with http://www.w3.org/2002/06/soap.rpc. Every other output or
input/output parameter must be represented by an element with a name corresponding
to the parameter name. If an array is used, the result must be the first element in the
array. The result element, if there is one, is followed by array elements for each out or
in/out parameter, in the order they are specified in the procedure signature. The following
example illustrates the response to the RPC invocation from the previous section.
For this response, there is no special header targeted at the recipient. A result is
returned indicating the status of the RPC invocation.



env:encodingStyle=”http://www.w3.org/2002/06/soapencoding”>

okay




ASOAP output message may also contain a SOAP fault. SOAP faults are generated
in response to errors or to carry other status information. This is the only body child
element that is defined by SOAP. The element must have a local name of fault and a
namespace of http://www.w3.org/2002.06/soap-envelope. Only one fault element may
appear in the message body. Child elements of code and reason are required within the
fault element. Other child elements, node and role, and details are optional. Code is a
structure that consists of a value that designates the high-level fault and an optional
subcode that provides additional details on the fault. Reason is a human-readable representation
of the fault. Node identifies the SOAP node that encountered the fault. Role
identifies what role the node was operating in when the fault occurred. Finally, detail
carries application-specific fault information. SOAP defined faults are:
■■ Version mismatch.
■■ Inability to understand or process a mandatory header.
■■ A DTD was contained in the message.
■■ A data encoding was referenced that is not recognized by the processor.
■■ The message was incorrectly formatted or did not contain needed information.
■■ The message could not be processed for some reason other than that the message
was malformed or incomplete.
For SOAP RPC, additional fault codes have been defined. Fault codes can be
extended to handle application specific needs.
SOAP Features
Key to SOAP’s future success is the ability to add capabilities to it and extend it. SOAP
features are abstract capabilities related to the exchange of messages between SOAP
nodes. These capabilities can include reliability, guaranteed delivery, and security.
If a feature is implemented within a SOAP node, the feature is implemented by
modifying the SOAP processing model. If the feature affects the interaction between
two successive nodes, the feature is implemented as part of the SOAP protocol binding.
One limitation of a protocol binding is that it relates two nodes connected by a single
transmission. End-to-end transmission may be implemented using different
protocols, requiring multiple transmissions. In these cases, the feature should be
expressed in SOAP header blocks and implemented by the processing model.
Features are expressed as modules or Message Exchange Patterns. Modules are
expressed as SOAP header blocks. The content and semantics of the header blocks
must be clearly and completely stated. In addition, if the operation of the module
affects the operation of other SOAP features, these effects must be identified.
AMessage Exchange Pattern (MEP) is a template, defined in the SOAP specification
(W3C 2002f) used to describe the exchange of messages between SOAP nodes. Amajor
part of specifying a binding is to describe how a protocol is used to implement any
MEPs it claims to support. Two MEPs, Request-Response and Response, have been
defined so far. The request-response MEP is exactly what we’d expect and is used
for RPCs. The response MEP is the sending of a SOAP response after receiving a
non-SOAP request. The MEP describes actions from the point of view of both the
requesting and the responding nodes.
The MEP is a distributed state-based specification of a node’s operation. At any particular
point in a message exchange, a node is in a specific state. Upon receipt of an
input, sending an output, or the arrival of some other event, the node enters a new
state and undertakes some processing.
HTTP Binding
Many underlying protocols can be used to transmit SOAP messages. The selected
underlying protocol may also provide additional features such as assured delivery,
correlation of a response to a request, or error correction and detection that enhance
SOAP. In addition, the underlying protocol may support patterns of message exchange
that are more complex than the simple one-way exchange specified by SOAP.
A SOAP protocol binding describes how an underlying transmission protocol is
used to transmit the SOAP message. Abinding framework is used as a formal method
to describe the relationship between SOAP and its underlying transmission protocol. It
describes the operation of one node as it exchanges and processes a single message.
Other functionality supported by the binding is also described in the framework.
SOAP defines a default HTTP binding (W3C 2002f). Unless otherwise agreed to,
SOAP over HTTP is transmitted using this binding. The binding supports the requestresponse
and Response MEP and specifies how HTTP is used to implement the pattern.
For the request-response MEP, the HTTP protocol binding describes how requests
are transmitted using HTTP by the requesting node and how the responses are sent in
the responding state at the responding node. SOAP request messages are sent using
HTTP POST requests. The HTTP URL identifies the target node as well as the application
that receives the message. The SOAP message is carried as the body of an HTTP
POST. The HTTP content-type header must be application/soap. The corresponding
response is returned using the HTTP response. This provides a natural way to correlate
the SOAP request with its response.
In the HTTP binding, the SOAP response message is sent in the response to an HTTP
request. For the request-response MEP, the SOAP request message is sent in an HTTP
POST request. For the SOAP response MEP, the request is transmitted as an HTTP GET
request. The HTTP binding only supports this MEP to request information. When used
in this way, the interaction will be indistinguishable from conventional HTTP information
retrieval. The MEP can only be used when there are no intermediaries between the
initial sender and the ultimate receiver. The information retrieved must be identified
by the URL alone because there is no SOAP message envelope to transmit additional
identification to the service provider.
SOAP Usage Scenarios
SOAP is a very simple protocol, but this simplicity supports many kinds of interactions,
some of them very complex. To illustrate the variety of ways that SOAP can be
used, the W3C, XML Protocol Working Group has sponsored the creation of SOAP Version
1.2 Usage Scenarios (W3C 2002g).
SOAP Usage Scenarios span the basic, one-way SOAP message transmission to
request/response to intermediaries. The scenarios also cover the provision of features
such as caching, routing, and quality of service. Familiarity with these scenarios gives
more appreciation of the ways that SOAP can be used.
Universal Description Discovery and Integration
One perceived obstacle to widespread, easy access to Web Services is limited ability to
locate suitable Web Services. If an enterprise needs a service that it doesn’t already use,
how does it discover providers that offer the service? Today, enterprises make use of
various directories to identify a vendor or products or services of interest. The directories
offered by the phone company are an example of one such type of directory, but
industry-specific directories are also possible. To provide information on Web Services
available over the Internet, a comparable type of Internet facility has been conceived.
Aconsortium of companies, including Ariba, IBM, and Microsoft, began developing
the concept of an Internet business directory. The result is the UDDI Project. UDDI continues
to be a collaborative effort of concerned businesses. Unlike the topics that have
been discussed so far, UDDI is more than a specification or standard. It encompasses
an infrastructure that implements the standard and allows Internet-wide, all-inclusive
search and discovery of Web Services.
UDDI includes a structured way to describe a business, the services that are offered
by the business, and the programmatic interface to the services. Data is organized so
that a business may offer multiple services, and a service (which may have been developed
by a separate organization) may be offered by more than one business.
UDDI is a Web accessible directory and is built on SOAP over HTTP. A UDDI registry
is basically a Web Service. Two sets of SOAP interfaces have been defined. One set
of interfaces for potential subscribers supports searching for services or direct retrieval
of details about known services of interest. While UDDI is built on SOAP, it should be
pointed out that the services described in the directory are not required to be SOAP
services. The directory’s discovery services can also be used to mitigate problems that
occur during runtime access of the registered Web Service. If a service is not accessible
at a previously published location, the registry can be updated to refer to a location
where the service can be accessed. Service subscribers can then update their location
caches. The second set of interfaces is for use by service providers and supports saving
descriptions, deleting descriptions, and security for access to these services.
The infrastructure conceived by the UDDI Project is a single, distributed network of
directory operators called the UDDI Business Registry. Business and service descriptions
published by the Business Registry are intended to be publicly available to anyone
without restriction. Publishing and deleting information are subject to authorization
checks. Publishing a description at one node results in the description being propagated
to and available at all nodes. IBM, Microsoft, SAP, and HP operate nodes.
An alternative to public business registries are private registries that make Web Services
known to a community of potential subscribers. The community can be based on
a common line of business, such as building construction or manufacturing lawn furniture,
or the community could be a single company. Private registries cater to subscribers
who have common interests and needs. Unlike the business registry, access to
a private registry may not be open to everyone, and controlling access to the information
becomes important.
A business registry contains a variety of company-specific data so that a potential
subscriber can decide whether it wants to do business with the service provider and, if
it does, what must be done to use the service. Besides the name of the company, the
registry can include other identifying information, such as tax number, a text description,
and contact information. Industry segment or business categorization descriptors
support use of the registry for searches based on industry. Potential subscribers can
locate companies that offer the type of services they need. Finally, the registry can contain
technical and programmatic descriptions of the Web Services offered by the company
so that programmers have the information they need to interface with the Web
Services offered.
Five structures have been defined for UDDI entries. They are businessEntity, businessService,
bindingTemplate, tModel, and publisherAssertion. The diagram in Figure 2.4,
taken from UDDI Version 2.0 Data Structure Reference, UDDI Open Draft specification
8, June 2001, illustrates their relationship.
The businessEntity structure represents a business. The structure is made up of a Universally
Unique ID (UUID) that is assigned to each business entity, and can also
include a business name, description, and the contacts that are in the white pages.
These identifiers and categories are descriptors that can be used to classify businesses
and the services they provide. Finally, the structure optionally includes one or more
businessService structures.
The businessService structure includes data about a service being offered by the business.
This structure contains a UUID that is assigned to each business service, an
optional text-based description of the service and category descriptors, and zero or
more binding templates.
The bindingTemplate structure identifies how and where a service can be accessed.
Each binding template is assigned a UUID and contains an address that can be used to
call a Web Service. This address can be a URL or an e-mail address. The tModelInstanceDetails
element of the binding template identifies a specific tModel that contains
the details of the interface used to access the Web Service. The bindingTemplate includes
zero or more tModels.
The tModel structure contains the technical specification of the Web Service interface.
It contains a UUID for the tModel, a name, and a description. tModels can contain
identifier and category descriptors.
The publisherAssertion provides a way for two businesses to assert a joint relationship.
For this to work, both businesses must agree to the assertion before it is published.
While UDDI depends on SOAP for its API structure, the services listed in a UDDI
Registry need not be limited to SOAP-based services. Likewise, SOAP subscribers are
not limited to using UDDI registries to locate Web Services. Subscribers can learn of the
existence of a Web Service through word of mouth, from an advertisement, or by looking
up the desired service in a paper-based phone directory. Once the service has been
located, details of the service can be provided to the subscriber by email, on a floppy
disk, or in a manual. There is no tight coupling between SOAP and UDDI. UDDI is not
needed in order for SOAP to succeed. For all these reasons, adoption of UDDI is not
happening as quickly as its backers expected. As we will see in the next section, the
same holds true for the relationship between UDDI and WSDL.
WSDL
To ease the burden of developing SOAP code, a vendor standard for an XML-based
language to describe the SOAP interface has been developed. The initial Web Services
Description Language (WSDL) (Microsoft 2001) specification was a joint development of
Ariba, IBM, and Microsoft. The WSDL 1.1 specification was turned over to the W3C,
which published it as a note (W3C 2001b) in March 2001. The W3C Web Services
Description Working Group is now working on further development of the language.
Earlier, we discussed concerns about the verbosity of XML. WSDL expands XML
several times over. Luckily, WSDL is usually only used during design and development
of Web Services applications. We should also note that even though WSDL is
text-based, human beings were not meant to comprehend WSDL. It is a machine-generated
and machine-processed markup language used with software development
tools. Finally, WSDL is its own markup language. It is not SOAP. So if someone looks
at it and it does not look familiar, this is understandable.
Since we don’t expect that human beings will have to dissect a WSDL specification,
we won’t go into the details of WSDL. Instead, we’ll discuss its structure and describe
how it specifies the interfaces to Web Services.
WSDL documents describe logical and concrete details of the Web Service. The logical
part of the WSDL document describes characteristics of Web Services that are
determined by the service developer and are valid regardless of the actual implementation.
The concrete part of the document describes aspects of the service that are
decided by the service provider. This supports the independent development of Web
Services that may be offered by different service providers. Figure 2.5 shows the parts
of a WSDL document.
To define an interface with WSDL, we begin by defining the types of data exchanged
across the interface. The type portion of a WSDL document declares the namespaces
and datatypes used in the Web Services messages that constitute the service. It defines
application-specific data types. Data is then organized into messages. In the case of
SOAP, message descriptions only apply to the body of the SOAP message. Headers are
defined elsewhere within the WSDL document. portType defines the operations supported
by a logical endpoint and the messages sent or received. For instance, a SOAP
service provider receives a message and generates a response to the received message.
The messages received and sent in response are defined in the message portion of the
WSDL message.
Up to this point, no implementation-specific information should be specified. For
instance, the protocol used to transmit the messages, the encoding used for the data,
and the location of the actual ports that are the connection points should not have been
given. These features are regarded as differentiators for different Web Services
providers. The service provider rather than the service developer makes these choices.
The bindings, ports, and service portions of a WSDL document specify this information.
First, bindings are used to specify the underlying protocol used to transport the
messages in a portType (portTypes were previously defined in the logical portion of
the WSDL document). The binding also specifies the encoding for the messages that
are part of the operations in the portType. Aport specifies the address at which the service
is available. Finally, a service specifies the ports at which the service is available.
WSDL is not tightly coupled to SOAP, and the interface WSDL describes can be
accessed via other protocols. Several bindings extend WSDL to account for differences
in underlying transport protocol. There is a SOAP binding, an HTTP GET or POST
binding without SOAP, and an SMTP binding. The SOAP binding describes how to
specify whether a message body is a document type or an RPC type. If the message is
an RPC, it describes how to identify arguments. The SOAP binding also includes the
definition of header elements and header fault elements.
Because Web Service descriptions allow independently specified components, there
is a lot of redundancy in a WSDL document. Operations reference messages. Bindings
reference operations, and messages further define how the operations and messages
are transmitted. This redundancy, combined with the use of XML, is responsible for the
large size of a WSDL document compared to the actual SOAP messages it defines. This
is the price of modularity.
WSDL is loosely coupled with SOAP and UDDI. There is a SOAP binding for WSDL,
but there are also HTTP GET and POST bindings and an SMTP binding. SOAP interfaces
can be specified by other means. There is guidance for using WSDL to provide the tModel
and binding template of a UDDI entry, but UDDI could be used with other description
languages, and there are other ways to distribute WSDL interface specifications.
A SOAP service provider is not required to use WSDL. WSDL’s verbosity makes it
difficult for human beings to understand and is an impediment to its acceptance.
Developers who use WSDL are those using development tools that automatically generate
and consume WSDL interface descriptions.

Web Services

Distributed Computing
Pressures to share information and cooperatively share processing lead to the notion of
distributed processing. Traditional distributed processing models assume that there is
a common environment or architecture between cooperating entities. When both parties
try to accomplish a processing task using J2EE or COM+, a common architecture
exists for the invocation of operations or sharing of data. This makes it relatively easy
to connect applications. While a common architecture does not guarantee interoperability,
it makes it easier to achieve.
It isn’t always possible for all the participants in distributed processing activities to
use the same architecture and processing environment. When processing must be
spread across organizations, their architectures, platforms, and development languages
are likely to be different. Complications arising from mismatches in environments can
exist between companies and can even exist between departments or divisions within
the same company. An organization with a large investment in an existing infrastructure
cannot afford to change its architecture and processing capabilities, even if successful
distributed processing depends on it. And, if one organization is willing to make
the change to accommodate another organization, there are probably other groups it
needs to work with that can’t make such an all-encompassing change. As a result, it’s
unlikely that organizations will be able to use a common environment.
Current processing architectures are single domain, but multitiered. That is, the processing
load within a domain is spread among several systems, each handling a welldefined
portion of a transaction. The systems can work sequentially or in parallel. A
common division of responsibility is to have a front-end processor that handles data
presentation and user interaction, a middle tier that is responsible for implementing
business logic, and a back-end system that may be a data repository or a mainframe
that performs batch processing.
A logical extension of multitiered processing is multidomain processing. A processing
domain is a computing facility under the control of a single organization. Adomain
may include many computers and utilize different processing architectures. A department
or a division within a company may control a domain, or a domain may be under
the control of a company. Within a large company, there may be an accounting domain
and a purchasing domain. We want the accounting system to know of purchases occurring
in the purchasing system so that the bills can be paid automatically. Between companies,
it may be desirable for a purchasing system to request bids from and send
purchase orders to vendors’ systems.
Multidomain processing is generally very difficult to implement because of the disparate
platforms, environments, and languages in different domains.
One notable attempt at achieving multidomain processing is Electronic Data Interchange
(EDI). EDI is a standard format for exchanging financial or commercial information.
Two versions of EDI are in use. They are Accredited Standards Committee
(ASC) X12 and the International Standards Organization’s Electronic Data Interchange
for Administration, Commerce, and Transport (EDIFACT). The latter standard is often
referred to as UN/EDIFACT, since it was originally developed by a United Nations
working party.
With EDI, a company can transmit a purchase order to its vendor. Banks use EDI to
send funds transfer information to financial clearinghouses. Value-added networks are
used to transfer the EDI messages. EDI has existed since about 1980, and it has been
used successfully by many companies.
By dealing with the structure and format of data exchanged, EDI frees each party to
the transaction from the requirement for a uniform computing environment. So long as
the sender can construct the correct message, it does not matter what platform, operating
system, or application created the message. Likewise, on the receiving side, so long
as the receiver can parse the message, identify the elements of interest, and process
them appropriately, the processing environment at the receiver’s end is of no consequence.
The transaction has been processed by two loosely coupled systems located in
two separate domains.
There are several reasons why EDI is not used more widely. EDI messages are rigid.
The data is not self-defining, and it is presented in a prescribed order with a fixed representation.
This rigid structure often needs modification when users discover needs
that cannot be accommodated by the existing fields. However, EDI’s rigidity makes
changes, such as adding new fields, difficult to implement. This leads to a multitude of
vendor- and customer-specific implementations.
Another reason for EDI’s limited acceptance is that specialized software is required,
which can be very expensive. EDI documents are often transferred via specialized,
value added networks, increasing cost and support requirements. Implementing EDI
can be very costly, and a company needs a very compelling reason before choosing to
adopt it.
Distributed Processing across the Web
Extensible Markup Language (XML), which is a platform-independent way to specify
information, is the foundation of Web Services. SOAP, which originally stood for Simple
Object Access Protocol (newer versions of the specification do not use it as an
acronym), builds on XML and supports the exchange of information in a decentralized
and distributed environment. SOAP consists of a set of rules for encoding information
and a way to represent remote procedure calls and responses, allowing true distributed
processing across the Web. XML and SOAP enable platform- and data-independent
interfaces to applications. Because Web Services are usually built on HTTP, they
can be delivered with little change to existing infrastructures, including firewalls.
UDDI and WSDL also support Web Services. Universal Description, Discovery, and
Integration (UDDI) is a mechanism for discovering where specific Web Services are
provided and who provides them. Web Services Description Language (WSDL) specifies
the interfaces to these Web Services, what data must be provided, and what is
returned. SOAP, UDDI, and WSDL are the underlying technologies upon which Web
Services are based. Using these protocols (shown in Figure 2.1), systems from different
domains, independent environments, or with different architectures can engage in a
cooperative manner to implement business functions. SOAP, UDDI, and WSDL are
built using XML and various Internet protocols such as HTTP.
SOAP, UDDI and WSDL are used in different phases, called publishing, finding, and
binding, in the Web Services development cycle. The Publish, Find, and Bind Model is
shown in Figure 2.2.
The model begins with the publish phase, when an organization decides to offer a
Web Service (1). The Web Service can be an existing application with a new Web Service
front end, or it can be a totally new application. Once an enterprise has developed
the application and made it available as a Web Service, the enterprise describes the
interface to the application so that potential users interested in subscribing to it can
understand how to access it. This description can be oral, in some human language
such as English, or it can be in a form, such as WSDL, that can be understood by Web
Services development tools. To facilitate automated lookups, the service provider
advertises the existence of the service by publishing it in a registry (2). Paper publications
or traditional Web Services can provide this service, or UDDI directories can
advertise the existence of the Web Service.
The next step of the model is the find phase. Once the service is advertised in a
UDDI registry, potential subscribers can search for possible providers (3 and 4) and
implement applications that utilize the service (5). Potential subscribers use the entries
in the registry to learn about the company offering the service, the service being
offered, and the interface to the service.
The final phase of the model is the bind phase. When a subscriber decides to use a
published service, it must implement the service interface, also called binding to the
service, and negotiate with the service provider for the use of the service. The negotiation
can cover mutual responsibilities, fees, and service levels.
When the application has been implemented and the business relationships
resolved, the Web Service is utilized operationally. The only participants at this point
are the service subscriber, who requests the service (6), and the service provider, who
delivers the service (7). WSDL and UDDI registries are generally only used during the
initial discovery of the service and the design of the application.
Web Services Pros and Cons
Web Services have many advantages that were not enjoyed by earlier attempts at crossdomain
interoperability. Since Web Services are in the early phase of adoption, we cannot
readily point to many actual implementations that prove Web Services live up to
expectations. Nevertheless, Web Services have many characteristics that set them apart
from solutions that came before them and make Web Services more likely to succeed.
The advantages of Web Services are:
■■ Web Services processing is loosely coupled. Earlier attempts to address
cross-domain interoperability often assumed a common application environment
at both ends of a transaction. Web Services allow the subscriber and
provider to adopt the technology that is most suited to their needs to do the
actual processing.
■■ Web Services use XML-based messages. Web Services using XML have a
flexible model for data interchange that is independent of the computing
environment.
■■ Participating in Web Services does not require abandoning existing investments
in software. Existing applications can be used for Web Services by
adding a Web Services front end. This makes possible the gradual adoption of
Web Services.
■■ Software vendors are coming out with tools to support the use of Web Services.
Organizations can use currently available tools from vendors such as IBM,
Microsoft, Sun, and others. There is no delay between interest in the technology
and the availability of tools to implement and use Web Services.
■■ There is a lot of emphasis on the interoperability of Web Services. Web Services
tool developers are working to demonstrate interoperability between implementations.
It’s likely that this will pay off and allow developers to choose
tools from one vendor and be confident that they will be able to interoperate
with other implementations.
■■ The modular way Web Services are being defined allows implementers to pick
and choose what techniques they will adopt. Other than having a basis in XML,
SOAP, UDDI, and WSDL, the building blocks of Web Services have related, but
independent capabilities. They are not tightly coupled and don’t depend on
each other to function.
■■ Use of Internet standard protocols means that most organizations already have
much of the communications software and infrastructure needed to support
Web Services. Few new protocols need to be supported, and existing development
environments and languages can be used.
■■ Web Services can be built and interoperate independently of the underlying
programming language and operating system. In organizations where there
isn’t a single standard, Web Services make interoperability possible, even when
one part of the organization uses .NET, while another portion uses Java, to
build their Web services, and other organizations use other technologies.
Reservations about Web Services fall into two categories. First, Web Services are not
proven technology; there is some suspicion that Web Services are the fashionable solution
of the day. That is, some think that Web Services are the current fad, and like many
other solutions to the distributed processing problem from the past, they will not
deliver. While we cannot disprove this, the advantages that Web Services have over
past solutions are significant.
The second reservation about Web Services centers on its reliance on XML. While
there are many advantages to XML, size is not one of them. Use of XML expands the
size of data several times over. The size of a SOAP message translates into more storage
and transmission time. The flexibility of SOAP means that more processing is
needed to format and parse messages. Do the advantages of XML outweigh the additional
storage requirements, transmission time, and processing needed? The answer is
a qualified yes. The flexibility offered by XML is required when trying to connect two
dissimilar processing environments in a useful way. Spanning processing domains
requires a flexible representation. However, once a message is within a single environment,
on either side of the connection, implementers must decide the extent to which
XML is required. XML will not always be the choice to represent data within a single
processing domain.
Extensible Markup Language
In order to understand Web Services, the reader must understand XML. Much of what
we’ll be discussing in this chapter, and other chapters in this book, is based on XML.
You’ll see it in many of our examples.
XML is a derivative of the Standard General Markup Language (SGML) (ISO 1986).
SGML is an international standard for defining electronic documents and has existed
as an ISO standard since 1986. SGML is a meta document definition language used for
describing many document types. It specifies ways to describe portions of a document
with identifying tags. Specific document types are defined by a document type definition
(DTD). A DTD may have an associated parser, which is software that processes
that document type.
HTML, an SGML application, has been well accepted on the Web but regarded as
limited because of its fixed set of tags and attributes. What was needed was a way to
define other kinds of Internet documents with their own markups, which led to the
creation of XML. Work on XML began in 1996, under the auspices of the World Wide
Web Consortium (W3C). The XML Special Interest Group, chaired by Jon Bosak of Sun
Microsystems, took on the work. It was adopted as a W3C Recommendation in 1998
(W3C 2000).
XML is a specialized version of SGML used to describe electronic documents available
over the Internet. Like SGML, XML is a document definition metalanguage. Since
XML is a subset of SGML, XML documents are legal SGML documents. However, not
all SGML documents are legal XML documents.
XML describes the structure of electronic documents by specifying the tags that
identify and delimit portions of documents. Each of these portions is called an element.
Elements can be nested. The top-level element is called the root. Elements enclosed by
the root are its child elements. Each one of these elements can, in turn, have its own
child elements. In addition, XML provides a way to associate name-value pairs, called
attributes, with elements. XML also specifies what constitutes a well-formed document
and processing requirements. XML, like SGML, allows for DTDs. But, DTDs are not
used with SOAP, which will be discussed later in this chapter. Instead, SOAP uses XML
Schemas, so our examples will be based on XML Schemas rather than DTDs.
XML elements begin with a start tag and end with an end tag. Each document type
has a set of legal tags. Start tags consist of a label enclosed by a left angle bracket (<)
and a right angle bracket (>). The corresponding end tag is the same label as in the start
tag prefaced by a slash (/), both enclosed by the left and right angle brackets. For
instance, a price element looks like 123.45. Unlike HTML, every start
tag must be matched by a corresponding end tag.
Start tags may also contain name-value pairs called attributes. Attributes are used to
characterize the element between the start and end tags. In our previous example, a
currency attribute could be included in the start tag to designate the currency of the
price, 123.45. There are several kinds of attributes.
Those most commonly encountered are strings. A specific predefined attribute
that will be important later in this chapter is ID. The ID attribute associates a name
with an element of an XML document.
XML defines a small number of syntax restrictions such as requiring an end tag to
follow a start tag. These restrictions enable the use of XML parsers, which must be flexible
enough to work with any XML-specified document. Any document that follows
these restrictions is said to be well formed.
The term XML is used in the literature in several ways. The common uses are:
■■ The metalanguage specified in (W3C 2000). In our examples, this will involve
the use of XML Schemas as well.
■■ An XML specification for an application-specific document type.
■■ A specific document created using the application-specific markup language.
To clarify these uses, let’s consider the case of a developer wishing to implement a
purchasing application. This developer wants to describe a purchase order and decides
to use XML, the metalanguage, for this purpose. So, the developer uses XML, the metalanguage,
to define the tags that identify the elements of a purchase order. The developer
defines an order as a sequence of element. Then, she defines tags for the elements.
These elements are orderNum, itemDescription, quantity, unitPrice, and aggregatePrice.
The developer also defines an attribute called currency, which can be applied to order.
If the attribute is used, the purchase order application will associate the currency of
order with the price elements. The resulting XML specification is shown below:

xmlns:xs=”http://www.w3.org/2001/XMLSchema”
xmlns=”www.widgets.com”
elementFormDefault=”qualified”
attributeFormDefault=”unqualified”>













An instance of a purchase order is an order for five widgets, part number 9876, for
$34.23 each. This XML purchase order document is shown below. Note that each name
is now a tag. Values associated with each tag are sandwiched between the start tag and
its corresponding end tag. We also use the attribute to designate prices in dollars.

xmlns=”www.widgets.com”
xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”
xsi:schemaLocation=”www.widgets.com>
9876
widgets
5
34.23
171.15

Supporting Concepts
XML relies on several other concepts to be effective. Two important concepts used
within the XML specification are Uniform Resource Identifiers (URIs) and the XML
namespace. XML Schemas, a separate W3C Recommendation, is used with XML to
provide greater control over data types. In fact, we’ve already been using all three in
our examples.
Uniform Resource Identifiers
URIs identify abstract or physical resources. The resource can be a collection of names
that has been defined by some organization or it can be a computer file that contains
that list. A URI follows the form: :.
The most familiar form of a URI is the Uniform Resource Locator (URL). It usually
specifies how to retrieve a resource. It denotes the protocol used to access the resource
and the location of the resource. The location can be relative or absolute, but it must be
unambiguous. For URLs, the scheme is usually a protocol to access the resource, and
the scheme-specific part is the user’s name when accessing the resource, the password
that allows access, the host of the resource, the port, and the URL path. Not all of the
constituents of the scheme-specific part are required.
In addition to complete resources, URLs can be used to refer to an element of an
XML document. In order to do this, an ID attribute must be used with the element to
associate a unique name with the element. Then, the URL string ends with the ID
string. We modified our purchase order to include an ID attribute.

ID=”ThisPO”
xmlns=”www.widgets.com”
xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”
xsi:schemaLocation=”www.widgets.com>
9876
widgets
5
34.23
171.15

External references to the element must be qualified by the complete URL to the document
followed by # and the ID string. An example of this is:
http://www.mysys.com/ThisOrder.xml#ThisPO. If the element is being referenced from
within the XML document, the URL can be shortened to #ThisPO.
The other form of URI is the Uniform Resource Name (URN). Unlike a URL, the
URN is not location dependent. There are no requirements that a URN be locatable. It
can be purely logical and abstract. It does have to be globally unique and persistent.
Global uniqueness is ensured by registering the URN. For a URN, the scheme is “urn:”,
which is fixed. The scheme-specific part consists of an identifier followed by a “:” and
then a namespace-specific string, which is interpreted according to the rules of the
namespace (this is described in the next chapter). An example of a URN is:
urn:ISBN:0471267163. In this case, ISBN identifies the namespace as an International
Standard Book Number and the number identifies a particular book.
Namespaces
As XML-based applications are implemented, a developer may wish to use elements
defined by the service developer. But, XML documents are likely to consist of a combination
of elements and attributes from several different sources, each source working
independently of the others. It should be possible to associate elements and attributes
with specific applications, while eliminating confusion due to duplication of element
or attribute names.
To make it easier to use elements or attributes associated with specific applications
while resolving possible ambiguity over the use of an element or attribute name,
namespaces are used (W3C 2002c). A namespace is a collection of names. An element
or an attribute can be associated with a namespace, thereby identifying it as having the
semantics of the elements or attributes from that namespace. Qualifying a local name
with a namespace eliminates the possibility of misunderstanding what a name denotes
or how its value should be formatted. Qualifying a name is accomplished by declaring
a namespace, then associating the namespace with a local name.
Namespaces are identified by a URI, usually a URL. An example of a namespace
declaration is: . This declaration
allows elements and attributes within the scope order to identify their membership
within the namespace by prepending acct: to the element or attribute name. The URL
in the declaration does not always resolve to a location that can be reached over the
Internet. It may simply serve to make any names qualified in the namespace unique.
The following example takes our purchase order and illustrates how to qualify
names. Two namespaces are declared. The first is used for elements defined by the purchasing
department, which includes the purchase order number and the item description.
The second declares a namespace defined by the accounting department, which
includes the number of units and the prices. To make this example more meaningful,
we’ve changed the element name orderNum to num, and quantity to num. Now, without
some assistance, we wouldn’t be able to differentiate the two elements named num.
This is where namespaces are useful.

xmlns=”www.widgets.com”
xmlns:orderform=”http://www.widgets.com/purchasing”
xmlns:acct=”http://www.widgets.com/accounting”
xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”
xsi:schemaLocation=”www.widgets.com>
9876
widgets
5
34.23
171.15

In this example, two additional namespaces are declared for use within a purchase
order. The first is designated orderform, and the second is acct. Neither of the URLs that
specify the namespace have to be reachable via the Internet nor do they even have to
exist as files. Their purpose is to uniquely qualify names and attributes as belonging to
the purchasing namespace or the accounting namespace. Later, two child elements
orderform:num and acct:num are specified. Because they are qualified, we know that the
9876 is a purchase order number and that 5 is a number of units.
XML Schema
XML Schema (W3C 2001d, W3C 2001e) is a language used with XML specifications to
describe data’s structure, the constraints on content, and data types. It was designed to
provide more control over data than was provided by DTDs that use the XML syntax.
While XML Schema and DTDs are not mutually exclusive, XML Schema is regarded as
an alternative to DTDs for specifying data types. SOAP, which we will discuss later,
explicitly prohibits the use of DTDs.
In many ways, XML Schema makes XML interesting. XML provided two ways to
aggregate elements: sequence and choice. A sequence of elements requires that each
element of the sequence appear once in the order specified. Choice requires that a
single element be present from a list of potential elements. With XML Schema, the
language designer can specify whether an element in a sequence must appear at all,
minOccurs, or whether there is a maximum number of appearances, maxOccurs.
XML Schema datatypes are primitive or derived. A primitive datatype does not
depend on the definition of any other datatype. Many built-in primitive datatypes have
been predefined by XML Schema. They include integer, boolean, date, and others.
Derived datatypes are other datatypes that have been constrained, explicitly listed, or
combined (the actual term used in the specification is “union”). Constrained datatypes
take an existing datatype and restrict the possible values of the datatype. The derived
datatype belowSix consists of integers restricted to values between 0 and 5. The restriction
on the datatype is called a facet. A datatype may consist of a list of acceptable values. A
datatype of U.S. coins contains penny, nickel, dime, and quarter. The union of U.S. coins
with U.S. paper denominations results in all United States currency denominations.
XML Schema is useful for several reasons. First, the built-in datatypes of XML
Schema support the precise definition of data. With facets, schemas can constrain the
values of XML data. Finally, a definition that is more precise can be achieved with
derived datatypes. Once a schema has been defined, schema processors are able to validate
a document to ensure that the document corresponds to the schema’s structure
and permissible values. This checking can eliminate a source of many of the vulnerabilities
that plague Web-based systems.
We have modified the purchase order example to show some of the features we’ve
just discussed. Up until now, we have conveniently avoided discussing lines 2– 4 of the
example. What they do is identify this XML document as an XML Schema document
that defines the namespace http://www.widgets.com. Line 4 also declares the default
scope of the names in the schema to be www.widgets.com. We’ve been using XML
Schema all along. In this example, each of the elements is now associated with an
appropriate data type. In addition, we have specified that the itemDescription element
is optional and does not have to be in the sequence.

xmlns:xs=”http://www.w3.org/2001/XMLSchema”
xmlns=”www.widgets.com”
elementFormDefault=”qualified”
attributeFormDefault=”unqualified”>




minOccurs=”0”/>


type=”xs:decimal”/>





There are many other aspects to XML Schema. Agood overview is contained in XML
Schema Part 0: Primer (W3C 2001c). XML Schema are placed in a separate schema document
so that type definitions can be reused in other XML documents. This can lead to
confusion when the term XML schema is used. This confusion is comparable to what
occurs when XML is used. When a separate XML schema document is used, references
to the XML schema instance must be namespace qualified so that the XML schema
processor can determine that a separate schema instance is being referenced. This is
usually done by declaring an XML namespace using an attribute with xmlns: for a suffix.
The location of the schema instance can be declared eliminating any possibility of
ambiguity. We’ve been declaring the namespace in our order examples using the
xmlns: attribute.
The advantage of using this schema is that there are schema processors that check
the values of elements to ensure that the values comply with the facets in the schema.
This reduces the possibility of using improperly formed input as a means of compromising
the security of an XML-based system.

Unifying Web Services Security

As e-business environments have evolved to Web Services models, security technologies
have been trying to keep up. As you’ll see throughout this book, we believe that
most of the pieces of the security puzzle exist, but that it still takes considerable effort
to put all these pieces together to build an integrated solution. Figure 1.3 provides an
overview of the different security technologies that need to be integrated.
Twenty years ago life was reasonably simple for the security professional. Sensitive
data resided on monolithic back-office data stores. There were only a few physical
access paths to the data, which were protected by well-understood operating system
access control mechanisms. Policies, procedures, and tools had been in place for many
years to protect legacy data stores.
Then, several years ago, Web-based applications burst onto the scene. With the
advent of e-commerce in this environment, secure access to Web servers was extremely
important. Today, there are many mature perimeter security technologies, such as SSL,
firewalls, and Web authentication/authorization servers, that enforce security between
browser clients and corporate Web servers.
Companies are now building complex e-business logic using Web Services in application
platforms in the mid-tier. These application platforms are commonly called
application servers or integration servers. (To simplify terminology, this book uses the
term application server to indicate any type of mid-tier application platform.) As we’ve
discussed, the business motivation for this development is compelling: Web Services
business logic allows accessibility to back-office legacy data in ways never imagined;
the opportunities for increased interaction among all kinds of buyers and suppliers
seem endless.
Security gets much more interesting when we introduce Web Service-enabled components.
Although there are many technologies that hook up Web servers to backoffice
legacy systems via a middle tier, the security of these approaches is often
nonexistent. In fact, several recent publicized attacks have been caused by weaknesses
in mid-tier security that have exposed sensitive back-office data (for example, customer
credit card numbers and purchase data) to the outside world. Companies are
usually at a loss for solutions to middle tier security problems.
To solve the thorny issue of securely connecting Web servers to back-office data
stores, we introduce the concept of end-to-end Enterprise Application Security Integration
(EASI). EASI is a special case of EAI (Ruh, Maginnis, Brown 2000).
EAI is a technique for unifying many different applications by using a common middleware
infrastructure. EAI provides an application “bus” that allows every application
to communicate with others via a common generic interface. Without EAI, an
application would need a separate interface for every other application, thus causing
an explosion of pairs of “stovepipe” connections between applications. EAI allows
application development to scale to a large number of interchangeable components.
We recognize that the integration of end-to-end security requires EAI techniques.
Many different security technologies are used in the perimeter, middle, and back-office
tiers. Typically, these security technologies do not interoperate easily. As a result, we
face exactly the same problem that application integrators face: Aseparate ad hoc interface
to connect one security technology to another causes an explosion of stovepipe
connection pairs between security technologies.
EASI (Heffner 2001) provides a common security framework to integrate many different
security solutions. We use Web Services security to bridge the security gap
between perimeter and back-office security. By using EASI, new security technologies
in each tier may be added without affecting the business applications. We’ll further
explore the concept of EASI in the next sections.
EASI Requirements
A key issue in enterprise security architectures is the ability to support end-to-end
security across many application components. End-to-end security is the ability to
ensure that data access is properly protected over the entire path of requests and
replies as they travel through the system. The scope of end-to-end security begins with
the person accessing a Web browser or other client program, continues through the
business components of the middle tier, and ends at the data store on the back-office
legacy system. The path may travel through both public and private networks with
varying degrees of protection.
In the enterprise architecture shown in Figure 1.4, a user accesses an application in
the presentation layer (for example, a Web browser client sends requests to a Web
server), which communicates to mid-tier business components (such as Web Serviceenabled
application servers). Frequently, the client request is transmitted through a
complex multitier chain of business components running on a variety of platforms.
The request finally makes it to one or more back-office legacy systems, which access
persistent data stores on behalf of the user, process the request, and return the appropriate
results.
To provide end-to-end security, each link in the chain of requests and replies must
be properly protected: from the initiating client, through mid-tier business components,
to the back-office systems, and then back again to the client. There are three
security tiers that make up any end-to-end enterprise security solution:
Perimeter security technologies. Used between the client and the Web server.
Perimeter security enforces protection for customer, partner, and employee
access to corporate resources. Perimeter security primarily protects against
external attackers, such as hackers.
Mid-tier security technologies. Used between the mid-tier business components.
Mid-tier security focuses primarily on protecting against insider attacks, but
also provides another layer of protection against external attackers.
Back-office security technologies. Address the protection of databases and operating-
system-specific back-end systems, such as mainframe, Unix, and Windows
2000 server platforms.
EASI Solutions
EASI solutions integrate security technologies across the perimeter, middle, and backoffice
security tiers. An EASI solution first and foremost consists of a security framework,
which describes a collection of security service interfaces that may be
implemented by an evolving set of security products. We’ll spend most of this section
describing our approach for defining an enterprise security framework. As you read
the rest of this book, keep in mind that we use this security framework to integrate
interfaces into all of the Web Service security technologies discussed.
In addition to the framework, an EASI solution also contains the software and hardware
technologies for securing e-business components. Chapters 3, 4, 5, 6, and 7
describe digital signatures and encryption for XML documents, WS-Security, SAML,
J2EE, CORBA, .NET, COM+, and many other security technologies that may be used to
secure Web Services components.
Finally, an EASI solution contains integration techniques, such as bridges, wrappers,
and interceptors, that developers can use to plug security technologies into a
middleware environment. To hook together different security technologies, EASI must
solve a key problem: defining a secure association between clients and targets that
establishes a common security context. The security context, which contains a user’s
identity and other security attributes, must be transferred across the system to a target
application. A user’s identity and security attributes form the basis for authorization
decisions and audit events, and must be protected as they are transmitted between
perimeter, middle, and back-office tiers, as shown in Figure 1.4. Because each technology
in these tiers represents and protects a user’s security information differently, integration
of the security context can be a rather difficult problem.
So how can one get a patchwork of different security technologies to interact with
and augment one another? The Organization for the Advancement of Structured Information
Standards (OASIS) is defining standards called WS-Security and SAML to
address this issue. WS-Security defines a standard way to attach security information
to SOAP messages, while SAML defines a format for exchanging authentication,
authorization, and attribute assertions. The combination of these two specifications
provides a description of the security context that can be passed across the tiers of an
architecture. WS-Security and SAML together are a standards-based approach for
expressing the security context that is not tied to any particular vendor’s application
environment or security product. Designed specifically for distributed security environments,
WS-Security and SAML are important building blocks for any Web Services
security framework. In Chapter 4, “XML Security and WS-Security,” and Chapter 5,
“Security Assertion Markup Language,” we’ll explore WS-Security and SAML in
depth; in Chapter 10, “Interoperability of Web Services Security Technologies,” we’ll
look at how WS-Security and SAML facilitate the exchange of an interoperable security
context across multiple Web Services security technologies.
EASI Framework
The EASI framework specifies the interactions among the security services and the Web
Services components that use those security services. By using common interfaces, it’s
possible to add new security technology solutions without making big changes to the
existing framework. In this way, the EASI framework supports “plug-ins” for new security
technologies. Key aspects of the framework are shown in Figure 1.5.
Applications
The security framework provides enterprise security services for presentation components,
business logic components, and back-office data stores. The framework supports
security mechanisms that enforce security on behalf of security-aware and
security-unaware applications.
Security-aware application. An application that uses security Application Programming
Interfaces (APIs) to access and validate the security policies that
apply to it. Security-aware applications may directly access security functions
that enable the applications to perform additional security checks and fully
exploit the capabilities of the security infrastructure.
Security-unaware application. An application that does not explicitly call security
services, but is still secured by the supporting environment (for example,
J2EE or COM+ container). Security is typically enforced for security-unaware
applications by using interceptors, which transparently call the underlying security
APIs on behalf of the application. This approach reduces the burden on
application developers to implement security logic within applications and
lessens the chance of security flaws being introduced.
Other applications, called security self-reliant applications, do not use any of the security
services provided by the framework. A security self-reliant application may not
use the security services for two reasons: because it has no security-relevant functionality
and thus does not need to be secured or because it uses separate independent
security functions that are not part of the defined EASI security framework.
APIs
The framework security APIs are called explicitly by security-aware applications and
implicitly by security-unaware applications via interceptors. Security APIs provide
interfaces for access to the framework security services. The framework supports standard,
custom, and vendor security APIs.
Standard security APIs. We encourage support for APIs based on open standards
or industry de facto standards. Examples of such standards are the J2EE
and COM+ security APIs described in this book in Chapter 7, “Security of
Infrastructures for Web Services.” These standards should be used whenever
possible because they are likely to provide the most stability and the most portability
across many different vendors’ products.
Custom security APIs. Custom APIs may be implemented when an enterprise’s
needs cannot be met by existing standard APIs. Custom APIs are required especially
when an enterprise uses a security service that is tailored to its business,
for example, a custom-rule-based entitlements engine developed internally by
an investment bank.
Vendor security APIs. As a last resort, vendor-specific proprietary APIs may be
used where open standards have not yet been defined. We recommend avoiding
the use of proprietary security APIs in applications if at all possible. Proprietary
APIs make it very difficult for the developer or administrator to switch security
products. Although vendors may think this is a great idea, we believe that security
technology is changing much too rapidly for an enterprise to be confined to
any one product. As an alternative, we recommend wrapping a vendor’s proprietary
API with a standard or custom API.
Core Security Services
The next layer of the security framework provides core security services enabling endto-
end application security across multitier applications. Each of the security services
defines a wrapper that sits between the security APIs and the security products. The
security services wrappers serve to isolate applications from the underlying security
products. This allows one to switch security products, if the need arises, by simply creating
a new wrapper, without affecting application code. The key security services are
authentication, authorization, cryptography, accountability, and security administration,
which we defined previously.
Framework Security Facilities
The framework provides general security facilities that support the core security services.
The framework security facilities include the profile manager, security association,
and proxy services.
Profile manager. Provides a general facility for persistent storage of user and
application profile and security policy data that can be accessed by other framework
services.
Security association. Handles the principal’s security credentials and controls
how they propagate. During a communication between any two client and target
application components, the security association establishes the trust in each
party’s credentials and creates the security context that will be used when protecting
requests and responses in transit between the client and the target. The
security association controls the use of delegation, which allows an intermediate
server to use the credentials of an initiating principal so that the server may act
on behalf of the principal. (Delegation is discussed in considerably more detail
in Chapter 11, “Administrative Considerations for Web Services Security.”)
Security proxy services. Provide interoperability between different security technology
domains by acting as a server in the client’s technology domain and a
client in the target’s domain.
Security Products
Implementation of the framework generally requires several security technology products
that collectively constitute the enterprise security services. Examples of such
required security products include firewalls, Web authentication/authorization products,
Web Service and component authentication/authorization products, cryptographic
products, and directory services. Several of these product categories are
discussed in this book. We describe CORBA, COM+, .NET, and J2EE security in Chapter
7, and we survey other relevant security technologies in Chapter 12.
EASI Benefits
At this point, the benefits of using a framework to address enterprise application security
integration should be clear. Our approach focuses on standards, which are the best
way to maintain Web Service application portability and interoperability in the long
run. Products and technologies will come and go, but generally accepted security standards
for fundamental security services will be much more stable. A standards-based
set of security APIs allows you to evolve security products over time without needing
to rewrite your applications. Designing your applications for evolving security products
is important because we believe that your business requirements and new security
technologies will continue to be a moving target. You might choose a great product that
satisfies your needs for the present, but you’ll probably want to change the product in
the future, and most people don’t want to be stuck with any one vendor’s product for
too long.
Having a security framework also means that you don’t need to implement everything
at once. The framework allows you to start small by selecting the security services
you need and building more sophisticated security functionality when and if it’s
required. The framework provides you with a roadmap for your security architecture,
helping to guide you on how to choose products and technologies that match your
needs over time.
Finally, the framework puts the security focus where it should be—on building a
common infrastructure that can be shared across the enterprise. Custom-built security
that is hand-coded within applications is expensive to implement and maintain and is
likely to have more security vulnerabilities. A single security infrastructure with APIs
that can be used by all of your applications avoids multiple, duplicate definitions of
users, security attributes, and other policies. You can focus your limited time and
money on building a few critical interoperable security technologies rather than coping
with a mass of unrelated security products that will never work together.
After we have fully explored the many aspects of Web Services security, we will
return to the theme of EASI at the end of this book. In Chapter 12, when we explain
how to plan and build integrated Web Services systems, we use EASI concepts to bring
the various security technologies together into a coherent security architecture.
Example of a Secure Web Services Architecture
Throughout this book, we use a simple e-commerce example to illustrate Web Services
security topics. Several of the chapters start with the basic scenario described here and
then extend the example in a variety of ways to emphasize specific security issues. In
this section, we introduce the basic example and provide an overview of its business
security requirements.
Business Scenario
Our application is a simple online storefront provided by ePortal, shown in Figure 1.6.
The store sells its products to customers, who can electronically place and settle orders
for products through customer accounts represented by shopping carts. Members are a
category of customers who get special treatment. Members have access to product
deals that are not available to regular customers. We also have two other classes of
users that access the storefront: visitors are casual browsers of the site, and staff administer
the storefront applications.
Users have two potential ways to access the services provided by ePortal. In the typical
consumer scenario, users access ePortal directly via a browser client. Browser
clients may reside anywhere on the Internet, and access the ePortal services via HTML
over HTTP (or HTTPS when SSL is used). Alternately, in a business-to-business (B2B)
scenario, ePortal users who are employees of a separate company, namely eBuyer,
access ePortal via Web Services applications. In this case eBuyer employees do not
access ePortal directly using a client browser; instead special-purpose applications in
eBuyer access ePortal services on behalf of the employees (who may use either a Web
browser to access the eBuyer application or perhaps use a customized user interface).
The applications access ePortal services via SOAP over HTTP (or HTTPS).
The services provided by ePortal are actually implemented by a third company,
eBusiness. ePortal accesses the eBusiness services via SOAP over HTTP (or HTTPS).
eBusiness stores information about products and prices, and also processes the orders
received by ePortal.
Why wouldn’t customers access the eBusiness services directly rather than going
through ePortal? There are several possible reasons. eBusiness may not be interested in
providing a direct Web presence for a large number of consumers, since such a service
requires maintaining authentication information for all users, protecting against denialof-
service attacks, and other complexities of a large-scale Web deployment. Furthermore,
ePortal may consolidate service offerings from many other companies besides eBusiness.
In this case, ePortal may provide the recognized consumer brand (such as those provided
by Amazon or eBay), and the consumer may not even be aware that eBusiness exists.
Web Services Interfaces
Figure 1.7 provides an overview of the Web Services implemented by eBusiness. As we
just described, eBusiness provides Web Services to ePortal, which in turn provides
these services to users.
The list below describes the eBusiness Web Service interfaces along with the methods
(operations) that each interface supports. For simplicity, we have omitted the operation
signatures that describe arguments and return values because these have little
relevance to the security policies that we will define.
■■ ProductManager is the object manager that returns Product instances.
■■ getProducts returns a list of ProductIDs that represents the inventory of
products that eBusiness is selling. (To keep the example simple, we don’t
provide an interface to add new products to the list.)
■■ lookup returns a Product instance based on a supplied ProductID.
■■ Product represents a product that eBusiness is selling.
■■ getPrice returns the price of Product.
■■ setPrice sets the price of Product.
■■ AccountManager is the object manager that returns Account instances. This
manager stores accounts (shopping carts) so a customer may retrieve them for
later use.
■■ create makes a new Account based on the CustomerID.
■■ delete removes an existing Account.
■■ lookup retrieves an existing Account based on the CustomerID.
■■ Account represents a customer’s shopping cart, which is a list of product orders.
■■ placeOrder puts an order into Account.
■■ deleteOrder deletes an order from Account.
■■ listOrders lists the orders in Account.
■■ settleOrder allows the customer to pay for the orders in Account with a
credit card.
For this scenario, we assume that the preceding interfaces have been implemented
on an application server containing J2EE, CORBA, COM+, or .NET components. Atypical
interaction would go something like this: Acustomer is first authenticated to ePortal.
com, and ePortal then gets a list of products and prices from eBusiness, using
getProducts and getPrice. The customer then places an order for products into his or
her account, which ePortal requests from eBusiness.com, using placeOrder. Sometime
later the customer settles the orders with a credit card number, which ePortal requests
from eBusiness.com by calling settleOrder.
Scenario Security Requirements
The Web Service security policies that we define in later chapters are based on the business
requirements for this example. Generally, it’s the combination of ePortal and
eBusiness security mechanisms that enforces the overall business requirements for our
example. We describe the business requirements for each class of user below.
Visitors. To entice new customers, ePortal permits visitors who are unauthenticated
users to browse the site. Visitors are permitted very limited access. Visitors
may:
■■ See the product list, but not their prices.
■■ Register to become a customer. Visitors may create an Account, which turns
the visitor into a Customer.
Customers. Most users accessing ePortal are customers who are permitted to
order regular products. Customers may:
■■ See the product list and prices for regular products, but not the prices for
special products, which are only offered to members.
■■ Place, delete, and settle (pay for) orders. A customer may not delete his or
her Account, however, and must ask someone on the ePortal staff to perform
this task. ePortal wants to make it difficult for customers to remove
their affiliation with the company.
Members. If approved by ePortal, some customers may become members. Members
have a longstanding relationship with ePortal and are offered price breaks
on special products. Other than having access to special products and prices,
members exhibit the same behavior as customers. Members may:
■■ See the product list and prices for regular and special products.
■■ Place, delete, and settle (pay for) orders. A member may not delete his or
her Account, however, and must ask someone on the ePortal staff to perform
this task. ePortal wants to make it difficult for members to remove
their affiliation with the company.
Staff. ePortal and eBusiness company staff members are responsible for administering
all aspects of the site. However, ePortal and eBusiness are concerned
about someone on the staff committing fraud by creating fictitious customers
and using stolen credit card numbers to order merchandise. To prevent this
exposure, people on the staff are not permitted to settle orders on behalf of customers
or members. Staff may:
■■ See the product list and prices for regular and special products and set
product prices.
■■ Assist a customer or member by placing, deleting, or listing orders on their
behalf. Staff may not settle orders, however—customers and members must
settle their own orders.
■■ Administer customer and member accounts, including the creation, deletion,
and looking up of the accounts.