Java Web Services

insidiousbehaviorSecurity

Nov 3, 2013 (3 years and 10 months ago)

80 views

Java Web Services

The other white meat

Distributed Programming


Disparate:


Standards


Frameworks


Standards’ Versions


Technologies


Implementations

History of Distributed


DCE (Distributed Computing Environment)


RPC, Naming/Directory lookup


CORBA


EJBs


RMI


.NET Remoting


Web Services (SOAP)

Fallacies of Distributed
Computing

(flawed assumptions made by programmers when first developing distributed applications)


The network is reliable


Latency is zero


Bandwidth is infinite


The network is secure


Topology doesn't change


There is one administrator


Transport cost is zero


The network is homogeneous


Web Services Soup


Web services standards poster, courtesy of
InnoQ:


http://www.innoq.com/soa/ws
-
standards/poster/innoQ%20WS
-
Standards%20Poster%202007
-
02.pdf



Standards are great (I will go home and make
one of my own!)


De
-
facto standards are more useful and more
stable than committee standards


You cannot drink the ocean and survive

Web Services are hard

(but should not be)


Think outside the box (do not always believe
what they tell you, have a judgment)


Agile approach is the best


Pick the simplest tool/approach which
accomplishes what you need in the fastest time


Do not over
-
architect


Do not invent requirements


Get system up and running as fast as possible
with minimal implementation


Refactor to add capability only if necessary

Web Services Standards
Breakdown


Despite the proliferation of various standards,
very few of them are actually being used


95%


SOAP (serialization)


WSDL (service description)


5%


All other specs combined!


Check for yourself:
Indeed.com trends for soap,
wsdl, saml, ws
-
security, ws
-
messaging and ws
-
reliability


Main Problems


Still RPC (remote procedure call)


Location of service


Convenience of invocation (appearance of
local call)


Hydration/dehydration, marshalling/un
-
marshalling, serialization/de
-
serialization,
etc.


Performance

Focusing on important


Hessian


Burlap


Bean Serialization


RSS, REST, SOAP, ESB, Java, Groovy

Maven


Short introduction to

Hessian


Simple, lightweight binary protocol


http://www.caucho.com/resin
-
3.0/protocols/hessian
-
1.0
-
spec.xtp


Free to use/implement


Easy to use

Hessian


Synchronous remote call


Serialization/deserialisation


Use HTTP, or any other transport (roll your
own)

Hessian Server


Implementation:

public interface Hello

{


String hello(String greeting);


HelloBean getHello(String greeting);

}


public class HelloServlet extends HessianServlet implements Hello

{


public String hello(String greeting)


{


System.out.println("Client passed: " + greeting);


return "Same to you: " + greeting;


}



public HelloBean getHello(String greeting)


{


return new HelloBean(greeting, (int)System.currentTimeMillis());


}

}



Hessian Client



String url = "http://localhost:9090/hessian/hello";


HessianProxyFactory factory = new HessianProxyFactory();

Hello hello = (Hello) factory.create(Hello.class, url);


System.out.println("hello(): " + hello.hello("hi"));


Burlap


Simple XML


based serialization protocol


Design Goals:


it must use the simplest possible subset of XML.


It must not require external IDL or schema definitions;
it should be invisible to application writers.


It must have sufficient power to serialize Java.


It must have sufficient power to support EJB.


It must allow non
-
Java clients to use web services.


It must allow web services to deployed as a Servlet.


It must be simple so it can be effectively tested.


It must be as fast as possible.


It should support transaction contexts.

Burlap Spec


http://www.caucho.com/resin
-
3.0/protocols/burlap
-
1.0
-
spec.xtp


Free to use/implement


Easy to use


Non
-
Java implementations!


Burlap Server


Implementation:

public interface Hello

{


String hello(String greeting);


HelloBean getHello(String greeting);

}


public class HelloServlet extends BurlapServlet implements Hello

{


public String hello(String greeting)


{


System.out.println("Client passed: " + greeting);


return "Same to you: " + greeting;


}



public HelloBean getHello(String greeting)


{


return new HelloBean(greeting, (int)System.currentTimeMillis());


}

}



Burlap Client



String url = "http://localhost:9090/hessian/hello";


Burlap
ProxyFactory factory = new BurlapProxyFactory();

Hello hello = (Hello) factory.create(Hello.class, url);


System.out.println("hello(): " + hello.hello("hi"));


Roll Your Own Web Services


If the most important problems to solve are:


RPC (remote procedure call)


Location of service


Convenience of invocation (appearance of local call)


Hydration/dehydration, marshalling/un
-
marshalling,
serialization/de
-
serialization, etc.


Performance


Can we design our own web services system?



Design Solutions


RPC:
use Java Reflection mechanism to locate implementation,
call method, pass parameter, get a return value


Location of service


host as a simple servlet with a known URL


will not build a UDDI



Convenience of invocation (appearance of local call)


Use Java
Dynamic Proxy to intercept calls to a “local” object


Hydration/dehydration, marshalling/un
-
marshalling,
serialization/de
-
serialization, etc.:
Use
XMLEncoder/XMLDecoder for serialization, but leave room to
plug any other serialization technology (XMLBeans, JAXB, etc.)


Performance


will largely depend on the serializationtechnology
of choice (did not stress test XMLEncoder/XMLDecoder)


Bean Serialization Demo

Bean Serialization


Exception management missing


can be
easily implemented


Java only


see the XML


Multiple endpoint implementations easy to
add: lookup implementation from Spring
context, Spring will add DI, AOP.


Actual serialization can be swapped for
something else


REST Rules!


Just HTTP as it was indended


REST is HTTP!


4 verbs:


GET, PUT , POST , DELETE


Simple, expressive URL


Easy to version


Easy to understand


No



REST vs SOAP

For the most part, REST wins

Amazon provides REST and SOAP

85% developers use REST!

Demo Vitality REST Services

Best Practices


Coarse Grain services


Message oriented, not RPC oriented (has
nothing to do with encoding, more of a concept


see the bean serialization example)


WS command pattern (used at WK)


Avoid if you can


Versioning is important


Avoid WSDL generation from code


Separate XSD from WSDL


Start designing with business entities, move to
XSD expression. WSDL must be simple