CICT Web-Java conferentie: The immediate Future of Web Technology

rouleaupromiseSecurity

Nov 5, 2013 (3 years and 11 months ago)

155 views

1
© 2008 IBM Corporation
CICT Web-Java conferentie:
The immediate Future of Web Technology
AD01 – Web Services, a Primer
David Artus - ISSW Consultant, IBM Hursley Labs
© 2005 IBM Corporation
© 2008 IBM Corporation
2
Agenda
 Web services, the Vision
 Web services Terminology
 Standards
 WebSphere Feature Pack for Web Services
 Summary
2
© 2005 IBM Corporation
© 2008 IBM Corporation
3
Agenda
 Web services, the Vision
– Brief demonstration
• consuming a Web service
– Real-world scenarios
– A working definition
 Web services Terminology
 Standards
 WebSphere Feature Pack for Web Services
 Summary
© 2005 IBM Corporation
© 2008 IBM Corporation
4
3
© 2005 IBM Corporation
© 2008 IBM Corporation
5
What just happened
 A service was consumed by a client
– Minimal negotiation between provider and consumer
• “use my Web service”
– Client and server decoupled
• Location, HW, OS, Programming Language
 Major pre-requisite, obtain …
– Technical service definition (methods, parameters …)
– The business meaning of the service
 Consider: what else would you want to know?
– QOS (availability, scalibility)
– Security?
© 2005 IBM Corporation
© 2008 IBM Corporation
6
What just happened?
 HTTP communication
– Request and response flowed over http
– Client selected correct host/port
 Agreed XML message format
– Both request and response
 Significant processing in client
– Code was generated
Service definition:
• Primary technical contract
• Machine readable (by tooling)
• Conforms to agreed standards
4
© 2005 IBM Corporation
© 2008 IBM Corporation
7
Example: B2B self-service
Financial
Transaction
Records
$700 per dispute
FTR
Service
$70 per dispute
© 2005 IBM Corporation
© 2008 IBM Corporation
8
How much work for the provider?
 With tooling, “coding” aspects not difficult
– Bottom-up, pre-existing service
• Obtain (or write) a service object (often a Session EJB)
• Tool will generate
– service definition (publish that to consumer)
– Infrastructure code
• Deploy as normal WebSphere application
– Top-down
• Architect/tech leader designs interface
– Express as service definition
• Generate skeleton
• Write implementation
• Deploy as normal WebSphere application
5
© 2005 IBM Corporation
© 2008 IBM Corporation
9
How much work for the provider?
 “Design Interface” – may not be simple
– Usually stateless, non-conversational
– Performance affected by granularity
– Ease of use depends on ease of understanding
– Very careful attention to error recovery
• Can I safely re-submit a failed request?
 Penalty of success
– Extra resource consumption
– Create new versions without impacting current
consumers
 Leads to questions of control and governance
Service design principles:
http://www.ibm.com/developerworks/webservices/library/ws-soa-design/
© 2005 IBM Corporation
© 2008 IBM Corporation
10
WebSphere Service Registry and Repository
Provides value throughout the service lifecycle
Promote Reuse
Find and reuse services
for building new processes
and applications.
Optimize Service Usage
Impact analysis. Change
notification. Version
management. Socialize
health and performance
information.
IBM WebSphere Service Registry and Repository 6.1
Enable Governance
Govern services
throughout the
service lifecycle.
Reconcile governed
services with
deployed services.
6
© 2005 IBM Corporation
© 2008 IBM Corporation
11
Enable governance – Govern capability
WSRR enabling service governance
 Role based access to services for sharing and reuse
– Easy to use access-control editor
 Complete service life cycle management
– User definable collections of service
metadata that can be governed together
 Controlled lifecycle state transitions
– Customizable validators
– Subscriber notifications
 Support for service promotion from one environment
to another (e.g. staging to production)
© 2005 IBM Corporation
© 2008 IBM Corporation
12
Web services and IBM Products
 WSRR
– Registry
– Service governance
 WebSphere ESB
– Routing of service requests
 WebSphere Process Server
– Invoke Web services in business process implementation
 Datapower
– Web Service proxy – valuable at enterprise edge
– Efficient security implementation
7
© 2005 IBM Corporation
© 2008 IBM Corporation
13
Summary so far, Web Services are
 Integration Technology
 Can be used as basis for SOA
 Built on Open Standards
 Platform independent
– supported by many vendors
 Widely adopted by IBM
– strong support in WebSphere family products
– also support in CICS, DB2 …
© 2005 IBM Corporation
© 2008 IBM Corporation
14
Agenda
 Web services, the Vision
 Web services Terminology
– the technologies used in the demo
• WSDL, SOAP,
– Other requirements, more technologies
• MTOM …
 Standards
 WebSphere Feature Pack for Web Services
 Summary
8
© 2005 IBM Corporation
© 2008 IBM Corporation
15
Web Service Components
 Service Provider
– Provides e-business services
– publishes availability of these services
through a registry
 Service Registry
– Provides support for publishing and
locating services
– like telephone yellow pages
 Service Requestor
– Locates required services via the
Service Registry
– binds to services offered by Service
Provider
Use
Service
Registry
Service
Provider
Publish
Service
Requestor
Find
The “classic” Web Services picture
© 2005 IBM Corporation
© 2008 IBM Corporation
16
Web Services: Base Technologies
 WSDL - Web Services Description Language
– An XML vocabulary to describe service interfaces
 SOAP (not an acronym!)
– An XML protocol to invoke a "function" on a server to perform a given
operation
 UDDI - Universal Description, Discovery, Integration
– Registry of services
– Now supplemented by products with broader capabilities – WebSphere
Service Registry and Repository
 XML – self-describing data
– Pervades the above!
9
© 2005 IBM Corporation
© 2008 IBM Corporation
17
Describing Services and Service Providers
WSDL = Web Services Description Language
© 2005 IBM Corporation
© 2008 IBM Corporation
18
Service
Implementation
Definition
Service
Port
Service
Interface
Definition
Binding
Operation
Message
Transport
Binding
Definition
Type
Document
WSDL elements
WSDL Document
 Service Interface
– WHAT
– Abstract, reusable service definition
– Represents a type of service that can be
implemented
– Elements: types, message, portType
 Service Binding
– HOW
– How messages are placed on a given
transport
– Elements: types, message, portType
 Service Implementation
– WHERE
– Implementation of one or more service
interfaces
– Contains the endpoint reference
– Elements: port and service
10
© 2005 IBM Corporation
© 2008 IBM Corporation
19
WSDL – the service description
 An example of WSDL, a translation service
 Firstly, it defines the input and output messages for the service, including
the format of the data that is expected:
<message name="BabelFishRequest">
<part name="translationmode" type="xsd:string"/>
<part name="sourcedata" type="xsd:string"/>
</message>
<message name="BabelFishResponse">
<part name="return" type="xsd:string"/>
</message>
 Secondly, it ties these two messages into an operation
:
<operation name="BabelFish">
<input message="tns:BabelFishRequest" name="BabelFish"/>
<output message="tns:BabelFishResponse"
name="BabelFishResponse"/>
</operation>
parameter
data type
WSDL
tags
service
description
© 2005 IBM Corporation
© 2008 IBM Corporation
20
WSDL – the service description (cont’d)
 It then defines the invocation style (“binding”) for the service:
<binding name="BabelFishBinding"
type="tns:BabelFishPortType">
<soap:binding style="rpc"
transport="http://schemas.xmlsoap.org/soap/http"/>

</binding>
 Note: Web services support many different styles and transports,
including HTTP, e-mail etc.
 And finally, it describes the actual location of the service (“port”)
<port name="BabelFishPort" binding="tns:BabelFishBinding">
<soap:address location=
"http://services.xmethods.net:80/perl/soaplite.cgi"/>
</port>
 WSDL is almost always tool-generated and tool-read
remote procedure
call (RPC) style
HTTP transport
invocation URL
service
description
11
© 2005 IBM Corporation
© 2008 IBM Corporation
21
Tooling makes creating easy …
EJB to Web Service
© 2005 IBM Corporation
© 2008 IBM Corporation
22
Tooling makes consuming easy …
Generate Web Service
Client
12
© 2005 IBM Corporation
© 2008 IBM Corporation
23
SOAP Protocol
© 2005 IBM Corporation
© 2008 IBM Corporation
24
SOAP
 In the past: Simple Object Access Protocol
– SOAP 1.2 spec states it is not an acronym
 Based on XML
 SOAP is a message format
 Specifies element tags and structure for
(“messaging envelope”)
– Header and body for message
– Errors
 Includes optional data encoding and bindings
13
© 2005 IBM Corporation
© 2008 IBM Corporation
25
SOAP RPC Message Structure
 Request and Response messages
– Request invokes a method on a remote object
– Response returns result of running the method
 SOAP defines an "envelope"
–"envelope" wraps the message itself
– message is a different vocabulary
– namespace prefix is used to distinguish the two parts
SOAP
Envelope vocabulary
application-specific
message vocabulary
message
envelope
SOAP
© 2005 IBM Corporation
© 2008 IBM Corporation
26
<SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://www.w3.org/2001/06/soap-envelope">
<SOAP-ENV:Body>
<m:GetLastTradePrice xmlns:m="Some-URI">
<symbol>DIS</symbol>
</m:GetLastTradePrice>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
SOAP envelope
message
A SOAP Request Message
14
© 2005 IBM Corporation
© 2008 IBM Corporation
27
<SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://www.w3.org/2001/06/soap-envelope">
<SOAP-ENV:Body>
<m:GetLastTradePriceResponse
xmlns:m="Some-URI">
<Price>134</Price>
</m:GetLastTradePrice>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
app-specific
message
SOAP envelope
Result
returned in
Body
A SOAP Response Message
© 2005 IBM Corporation
© 2008 IBM Corporation
28
Why SOAP?
 Standard agreed to by all major industry players
 Use of existing protocol infrastructure (HTTP, SSL, SMTP, Messaging)
 Accessible software services on the web require:
– Protocol -- how interactions are structured, who initiates requests
and how responses are made. eg TCP/IP, HTTP, SMTP
– Wire Format -- How information is organized when sent over a
network.
 Need for simple, extensible, platform independent, standard for
message exchange
 Many benefits to XML usage
– Machine and human readable
– Expressiveness, standardization, tools
 Separation of application specific information (body) from quality of
service and processing information (header)
15
© 2005 IBM Corporation
© 2008 IBM Corporation
29
UDDI and Registries
© 2005 IBM Corporation
© 2008 IBM Corporation
30
How does the Requestor get the WSDL?
 WSDL (or its URL) can be emailed to requestor
 WSDL for available services is stored at repository sites like
xmethods.net or www.salcentral.com
 using WS-Inspection language on target site
 use UDDI "find" methods to look it up
…or a Service Registry – WSRR becoming widely used
16
© 2005 IBM Corporation
© 2008 IBM Corporation
31
Binary data, attachments – SwA and MTOM
© 2005 IBM Corporation
© 2008 IBM Corporation
32
Services and Binary data
Two primary techniques –
 By value
– Embeds data, after encoding, as an element or attribute
content of the XML
– Gives applications the ability to process and describe data
based only on the XML Reference
 By reference
– Attaches pure binary data as external, unparsed entities
outside the XML document
– Embeds reference URIs to the entities as elements or
attributes
– Minimizes the amount of data and prevents wasting
processing power
17
© 2005 IBM Corporation
© 2008 IBM Corporation
33
SOAP with Attachments
SOAP Messages with
Attachments (SwA)
– W3C Note - December
2000
– Uses MIME
Multipart/Related packages
to send binary data and
other attachments
alongside XML messages
– Thus avoiding the overhead
of encoding
Content-Type: Multipart/Related;
boundary=MIME_boundary; type=text/xml
--MIME_boundary
Content-Type: text/xml; charset=UTF-8
Content-Transfer-Encoding: 8bit
<?xml version='1.0' ?>
<soap:Envelope xmlns:soap="...">
<soap:Body>
<Person name="bob">
<Picture>
cid:bob@pictures.example.com
</Picture>
</Person>
</soap:Body>
</soap:Envelope>
--MIME_boundary
Content-Type: image/jpeg
Content-Transfer-Encoding: binary
Content-ID: <bob@pictures.example.com>
...binary JPEG image...
--MIME_boundary--
© 2005 IBM Corporation
© 2008 IBM Corporation
34
SOAP MTOM
 SOAP Message Transmission Optimization Mechanism is a specification that focuses
on optimizing the
sending of binary data via a W3C standard
– W3C recommendation
– Has both SOAP 1.1 and 1.2 bindings
 Customer Pain Points Addressed
– Sending binary attachments (e.g. images, documents) is very costly
• Doubles the size of the message (base64 encoding)
– Microsoft doesn’t support Soap with Attachments
 MTOM
– MTOM uses a standard called XOP, which defines a XOP reference that exists within the
SOAP payload.
• XOP is defined for efficient serialization of XML infosets that have a mix of binary and textual
data
• In the XML document, an xop::Include element is added which references the new location of
the binary data.
• When reading the original document back from the XOP Infoset, the XOP processor replaces
the xop::Include tags with the actual binary data they reference.
18
© 2005 IBM Corporation
© 2008 IBM Corporation
35
SOAP with Attachments and SOAP MTOM
 SwA and MTOM are conceptually similar
– Both encode binary data as a MIME attachment in a MIME
document.
• Using MIME attachments improves the performance of large binary
payloads transport.
– Message Content
• With SwA, the href points to data that is not only physically outside the
XML document but is not logically included within its Infoset.
• With MTOM, the XOP reference logically includes the binary data into
the XML Information Set (Infoset).
– With MTOM, binary attachments can be logically signed as if they were part
of the SOAP XML document.
 In additional to IBM, Microsoft .NET supports MTOM, which
eliminates some of the interoperability problems found with SwA.
– Microsoft does not support SwA
© 2005 IBM Corporation
© 2008 IBM Corporation
36
And there is more …
 What else needed for enterprise quality systems?
– Security
• Authorisation
• Identity propogation
• Encryption
– Reliable service invocation
– Transactions
 SOAP headers give a general mechanism for
addressing such issues, but:
– We are integrating, so we need standards …
19
© 2005 IBM Corporation
© 2008 IBM Corporation
37
Agenda
 Web services, the Vision
 Web services Terminology
 Standards
– Versions and the Expectation of Interoperability
– Profiles
– Beyond simple service invocation
 WebSphere Feature Pack for Web Services
 Summary
© 2005 IBM Corporation
© 2008 IBM Corporation
38
Standard Stack
XQuery, XACML, SOAP MTOM, XOP, SOAP with Attachments, DIME, XForms,
SOAP 1.1, SOAP 1.2, WSDL 1.1, WSDL 2.0, UDDI 2.0, UDDI 3.0, SAML 1.0, SAML
2.0, BPEL4WS, XML
WS-Acknowledgement, WS-Federation, WS-Addressing, WS-Agreement, WS-I18n,
WS-Attachments, WS-Authorization, WS-AtomicTransaction, WS-BusinessActivity,
WS-CAF, WS-Callback, WS-Coordination, WS-Eventing, WS-Events, WS-
Inspection, WS-Manageability, WS-Federation PassiveProfile, WS-
EndpointResolution, WS-MessageData, WS-MetadataExchange, WS-Policy, WS-
PolicyAssertions, WS-PolicyAttachment, WS-Provisioning, WS-Privacy, EPAL, WS-
Referral, WS-Reliability, WS-ReliableMessaging, WS-RM Policy Assertion, WS-
Routing, WS-SecureConversation, WS-Polling, WS-Security 1.0,
WS-Security 1.1
,
WS-SecurityPolicy, WS-Transaction, WS-TransmissionControl, WS-Trust, WS-
Resource, WS-ResourceProperties, WS-ResourceLifetime, WS-ServiceGroup, WS-
BaseFaults, WS-BaseNotification, WS-Topics, WS-BrokeredNotification, WS-BPEL,
WS-Choreography
20
© 2005 IBM Corporation
© 2008 IBM Corporation
39
Standard Stack – great benefit from small subsets
XQuery, XACML, SOAP MTOM, XOP, SOAP with Attachments, DIME, XForms,
SOAP 1.1, SOAP 1.2, WSDL 1.1, WSDL 2.0, UDDI 2.0, UDDI 3.0, SAML 1.0, SAML
2.0, BPEL4WS, XML
WS-Acknowledgement, WS-Federation, WS-Addressing, WS-Agreement, WS-I18n,
WS-Attachments, WS-Authorization, WS-AtomicTransaction, WS-BusinessActivity,
WS-CAF, WS-Callback, WS-Coordination, WS-Eventing, WS-Events, WS-
Inspection, WS-Manageability, WS-Federation PassiveProfile, WS-
EndpointResolution, WS-MessageData, WS-MetadataExchange, WS-Policy, WS-
PolicyAssertions, WS-PolicyAttachment, WS-Provisioning, WS-Privacy, EPAL, WS-
Referral, WS-Reliability, WS-ReliableMessaging, WS-RM Policy Assertion, WS-
Routing, WS-SecureConversation, WS-Polling, WS-Security 1.0,
WS-Security 1.1
,
WS-SecurityPolicy, WS-Transaction, WS-TransmissionControl, WS-Trust, WS-
Resource, WS-ResourceProperties, WS-ResourceLifetime, WS-ServiceGroup, WS-
BaseFaults, WS-BaseNotification, WS-Topics, WS-BrokeredNotification, WS-BPEL,
WS-Choreography
© 2005 IBM Corporation
© 2008 IBM Corporation
40
 Standards bodies vary by process, rigor, respect and
adoption rate
– And specific standards vary with respect to adoption
 Key standards bodies for SOA:
– W3C, OASIS
– WS-I
 Most established, proven SOA standards:
– XML, XML Schema, SOAP, WSDL, WS-Security
Not all Standards are Created Equally
21
© 2005 IBM Corporation
© 2008 IBM Corporation
41
Standards Organizations Most Relevant to
WebSphere and Web Services(1 of 2)
 W3C (World Wide Web Consortium) – http://www.w3.org
–develops interoperable technologies for the Web. Covers HTML, HTTP, XML, SOAP, etc.
• Founded in 1994 and includes 350 member organizations from around the world
–Core Focus – Web based Interoperable Technologies
 OASIS (Organization for the Advancement of Structured
Information Standards) - http://www.oasis-open.org
–development and adoption of Web services, security, e-business, public sector and application-
specific standards (BPEL, ebXML, UDDI, WSRP, WS-Security, etc.).
• Founded in 1993, has more than 3,000 participants from 600 organizations in 100 countries
–Core Focus –web services QOS standards, application-specific standards
 JCP (Java Community Process) – http://www.jcp.org
–holds the responsibility for the development of Java technology.It primarily guides the
development and approval of Java technical specifications (JSRs). JCP is controlled by Sun, but is
open to everyone. IBM, BEA, Oracle, Novell, JBoss, AOL, ATG, SAS, Sybase, Borland,
Macromedia, HP are among many other contributors
–Core Focus - Standardization of Java technology
© 2005 IBM Corporation
© 2008 IBM Corporation
42
Standards Organizations Most Relevant to WebSphere
and Web Services (2 of 2)
 WS-I (Web Services Interoperability Organization) – www.ws-i.org
–open industry effort to promote Web Services interoperability across platforms, applications, and
programming languages. Provides guidance, recommended practices,and supporting resources
for developing interoperable Web services (WS Basic Profile)
–Core Focus - Promoting interoperability across vendor runtimes
–WS-I Deliverables
• Profiles provide implementation guidelines for how related Web services specifications should be used
together for best interoperability..
• Sample Applications demonstrate Web services applications that are compliant with WS-I guidelines.
• Testing Tools are used to determine whether the messages exchanged with a Web service conform to WS-I
guidelines. These tools monitor the messages and analyze the resulting log to identify any known
interoperability issues.
 WSTF (Web Services Test Forum)-
http://www.wstf.org/
–an environment in which members of the Web Service community can develop interop scenarios
as well as test those scenarios against other Web Service implementations. It also provides a
common test bed of regression tests that the community can use during the development of their
Web Service implementations.
–Core Focus - Promoting interoperability across vendor runtimes
22
© 2005 IBM Corporation
© 2008 IBM Corporation
43
WS-I Profiles
 An agreed “slice” through a set of standards
– Version a.b of SOAP
– Version c.d of …
 Each profile itself may have multiple versions
 Vendors test to these profiles
– Good expection of successful interoperation from conforming
vendors
 The WS-I Basic Profile (official abbreviation is BP)
– interoperability guidance for core Web Services specifications such
as SOAP, WSDL, and UDDI.
WS-I Basic Profile 1.1
WS-I Basic Profile 1.2
WS-I Basic Profile 2.0
MTOM
WS-Addr
SOAP 1.2
WS-I Basic Profile 1.0
© 2005 IBM Corporation
© 2008 IBM Corporation
44
WS-I Basic Profile
Basic Profile (BP) 1.0
Basic Profile (BP) 1.1
Eratta
Basic Profile (BP) 1.2
WS-Addressing
MTOM
Basic Profile (BP) 2.0
SOAP 1.2
• SOAP V1.1
• WSDL V1.1
• UDDI V2.0
• XML V1.0 (Second Edition)
• XML Schema
•Structures and
•Data Types
• The Transport Layer Security (TLS)
Protocol V1.0
• Internet X.509 Public Key Infrastructure
Certificate and CRL Profile
• HyperText Transfer Protocol V1.1
•HTTP over TLS
•HTTP State Management Mechanism
• The Secure Sockets Layer (SSL) Protocol
V3.0.
23
© 2005 IBM Corporation
© 2008 IBM Corporation
45
WS-I Security Profile
 Addresses Security Interoperability
– Security that is implemented inside a SOAP message, using WS-Security based headers
• Describes how interoperability for these protocols can be tested within the body of the SOAP
message or inside SOAP attachments.
• Username, X.509, REL, Kerberos, and SAML tokens
– Security implemented at the transport layer, using HTTPS (Secure, or encrypted HTTP).
 The Basic Security Profile 1.0 provides guidance on the use of WS-Security and the
REL,UserName and X.509 security token formats. ‘
 The Basic Security Profile 1.1 provides guidance on the use of WS-Security 1.1 and
the REL, Kerberos, SAML, UserName and X.509 security token formats.
WS-I Basic Profile 1.1
WS-I Basic Security Profile 1.0
WS-Security 1.0
UsernameToken Profile
Kerberos
SAML
WS-I Basic Security Profile 1.1
WS-Security 1.1
X.509 Token Profile
LTPA Token
WS-I Basic Profile 1.0
© 2005 IBM Corporation
© 2008 IBM Corporation
46
WS-Security Specification
 The WS-Security specification, Web Services Security:
– SOAP Message Security 1.0 – released April 2004
– WSS 1.1 – released by Oasis February 2006.
 Defines a framework for placing security information in the SOAP Headers.
 The specification is flexible and designed to be used as the basis for securing Web
services using a wide variety of security models, including PKI,Kerberos, and SSL
– Provides support for:
• multiple security token formats
• multiple trust domains
• multiple signature formats
• multiple encryption technologies based on XML signature and XML encryption to provide
message integrity and confidentiality.
• security token propagation.
 Does not address all aspects of Web services security.
– Represents one layer in a complete, layered security solution for Web services.
24
© 2005 IBM Corporation
© 2008 IBM Corporation
47
WS-Security Specification(2)
 Protect a message by encrypting and/or digitally signing a
body, a header, an attachment, or any combination of them
(or parts of them)
– Message integrity
• leverages XML Signature and security tokens
• ensures that messages
– have originated from the appropriate sender
– were not modified in transit.
– Message confidentiality
• leverages XML Encryption and security tokens to
keep portions of a SOAP message confidential
 WS-Security does not specify the format of the signature or
encryption.
– It specifies how one would embed the security
information laid out by other specifications within a
SOAP message.
© 2005 IBM Corporation
© 2008 IBM Corporation
48
WebSphere 5.1.x
WS-Security
Draft 13
runtime
WebSphere 6.0.x & 6.1.x
WS-Security
Draft 13
runtime
WS-Security
1.0
runtime
WebSphere 6.1.x + WS FeP
WS-Security
Draft 13
runtime
WS-Security
1.0
runtime
JAX-RPC
WS-Security
1.0
runtime
WS-Security
1.1
runtime
JAX-WS
Interoperability Considerations
OASIS
WS-Security
Draft 13
Message
OASIS
WS-Security
1.0
Message
OASIS
WS-Security
1.1
Message
Able to Process the Message
25
© 2005 IBM Corporation
© 2008 IBM Corporation
49
Example: B2B self-service
Financial
Transaction
Records
$700 per dispute
FTR
Service
secured
$70 per dispute
© 2005 IBM Corporation
© 2008 IBM Corporation
50
Java APIs relating to Web services
26
© 2005 IBM Corporation
© 2008 IBM Corporation
51
Web Services - J2EE and Java
 JSR 101: JAX-RPC
 JSR 109: Implementing Enterprise Web Services
 JSR 31: JAXB
 JSR 67: JAXM
 JSR 93: JAXR
 JSR 110: WSDL4J
 JSR 172: J2ME™Web Services
 JSR 173: StAX
 JSR 181: Web Services Metadata for Java
 JSR 208: JBI
 JSR 222: JAXB 2.0
 JSR 224: JAX-WS 2.0
 JSR 921: Implementing Enterprise Web Services 1.1
© 2005 IBM Corporation
© 2008 IBM Corporation
52
JAX WS
 Java API for XML Based Web Services (JAX-WS)
– JAX-WS is designed to take the place of JAX-RPC in
Web services and Web applications
– Development of SOAP and REST based Web Services
– Key features:
• Java 5.0
• JAXB
• Dynamic Programming Model
– Message Oriented
– Async functionality
• MTOM
• SAAJ 1.3 based handlers
27
© 2005 IBM Corporation
© 2008 IBM Corporation
53
Web Services Evolution in WebSphere
WebSphere 6.0
 JAX-RPC (JSR-101) 1.1
 JSR-109 1.1 – WSEE 1.1
 SAAJ 1.2
 WS-Security 1.0
 WS-I Basic Profile 1.1
 UDDI 3.0
 JAXR
 WS-TX AT Support
WebSphere 6.1
 WS-TX BusinessActivity
 WS-I BSP 1.0
 WS-Notification
 WS-Security
(performance)
 SOAP/JMS performance
 WS-RF (Resource
Framework)
 WS-Addressing (SOAP /
Core)
WebSphere Feature Pack
for Web Services
 JAXB 2.0
 JAX-WS 2.0
 StAX 1.1
 SAAJ 1.3
 SOAP 1.2
 MTOM / XOP
 WS-SecureConversation
 WS-Trust
 WS-ReliableMessaging
 WS-
DistributedManagement
(WSDM)
WebSphere 5.1
 JAX-RPC (JSR-101)
1.0
 JSR-109 1.0
 SAAJ 1.1
 WS-Security (draft)
 WS-I Basic Profile 1.0
 UDDI4J version 2.0
(client)
 Apache Soap 2.3
enhancements
WebSphere 7.0
 JAXB 2.1
 JAX-WS 2.1
 JSR 109 1.2
 OASIS WS-TX (AT/BA)
 OASIS WS-SX
– WS-
SecureConversation
– WS-Trust
– WS-SecurityPolicy
 OASIS Kerberos Token
Profile
 W3C WS-Policy
 W3C WS-Addressing
Metadata
 WS-MetadataExchange
 WS-I BP 1.2 / 2.0 / RSP
© 2005 IBM Corporation
© 2008 IBM Corporation
54
Web services and DataPower
28
© 2005 IBM Corporation
© 2008 IBM Corporation
55
DataPower and Web Services
DataPower supports a wide range of standards
– WSDL 1.1
– SOAP 1.1 / 1.2
– UDDIv3 (including subcriptions)
– WSRR integration
– WS-Security 1.0/1.1 (all token profiles except REL Token)
– SAML 1.0/1.1/2.0
– WS-Policy
– WS-Security Policy
– WS-ReliableMessaging Policy 1.1
– WS-ReliableMessaging 1.1
– WS-Addressing
– WS-SecureConversation
– WS-Notification
– WSDM MoWS
– WSDM MuWS
– WS-Management
– WS-I Basic Profile 1.0 / 1.1
– WS-I Attachments Profile
– WS-I Basic Security Profile 1.0
– XACML 1.0/2.0
– MTOM / XOP
– SOAP w Attachments
XML Accelerator XA35
XML Security Gateway XS40
Integration Appliance XI50
© 2005 IBM Corporation
© 2008 IBM Corporation
56
DataPower Web Services Features
 Creating a proxy for an existing Web service
– very simple: importing the WSDL
 Device incorporates information there to establish and
‘virtualize’ backend endpoint info – hosts, ports, URIs
 Front-end (client-facing) is defined
– Can be different port, URI, etc
 From there additional security policies can be added
in the WSDL heirarchy
– Along with message enrichment,
validation, customization, transformation,
dynamic routing, etc
29
© 2005 IBM Corporation
© 2008 IBM Corporation
57
DataPower Web Services Features
 Compliance with management protocols - WSDM, SNMP
 Publishing to UDDI, WSSR registries w/”live updates”
 DataPower allows authn, authz, auditing (AAA) at any layer of the WSDL tree
 Can pull WSDLs from UDDI, WSRR
 One Web Service Proxy can import and proxy multiple WSDLs
– Allows for consolidated policy definition/enforcement for security, SLM
– DataPower can publish the new ‘combined’ WSDL
© 2005 IBM Corporation
© 2008 IBM Corporation
58
Agenda
 Web services, the Vision
 Web services Terminology
 Standards
 WebSphere Feature Pack for Web Services
– Current state-of-the-art in WebSphere
 Summary
30
© 2005 IBM Corporation
© 2008 IBM Corporation
59
WebSphere 6.1 Web Services Feature Pack
 SImplification
• JAX-WS / JAXB 2.0 for programming model
• Policy Sets and Intelligent Defaulting for deployment and administration
 Interoperability
• WS-I Reliable Secure Profile (Asynchronous + MTOM)
 Performance
– WS- Feature Pack with JAX-WS outperforms WAS 6.1 JAX-RPC for all payload sizes
• the performance improvements are in the range of 22% to 39% on a large SMP machine
XQuery,
XACML
,
MTOM
, XOP, SOAP with Attachments,
DIME
, XForms,
WS-
Acknowledgement
, WS-Federation,
WS-Addressing
, WS-Agreement,
WS-I18n,
WS-Attachments
, WS-Authorization,
WS-AtomicTransaction
, WS-
BusinessActivity,
WS-CAF
,
WS-Callback,
WS-Coordination,
WS-Eventing,WS-
Inspection, WS-Manageability
, WS-Federation PassiveProfile, WS-
EndpointResolution, WS-MessageData, WS-MetadataExchange, WS-Policy,
WS-PolicyAssertions, WS-PolicyAttachment, WS-Provisioning, WS-Privacy,,
WS-Reliability
,
WS-ReliableMessaging
, WS-Routing,
WS-
SecureConversation,
WS-Polling, WS-Security 1.0 & 1.1, WS-
SecurityPolicy,
WS-Transaction
,
WS-TransmissionControl,
WS-Trust
,,
WSDM,
WS-Resource
, WS-ResourceProperties, WS-ResourceLifetime, WS-
ServiceGroup, WS-BaseFaults, WS-BaseNotification, WS-Topics, WS-
BrokeredNotification,
SOAP 1.1, SOAP 1.2
, WSDL 1.1,
WSDL 2.0
,
UDDI 3.0
,
SAML 1.0,
SAML 2.0, BPEL4WS, WS-BPEL, WS-Choreography, WSRP
WS-I Basic Profile 1.1
WS-I Attachment Profile
WS-I Simple SOAP Profile
WS-I Basic Security Profile 1.0
WS-Security 1.0
UsernameToken Profile
WS-I Reliable Secure Profile
(RAMP Profile)
WS-ReliableMessaging
WS-SecureConversation
WS-Trust
WS-I Basic Profile 1.2
WS-I Basic Profile 2.0
MTOM
WS-Addr
SOAP 1.2
X.509 Token Profile
LTPA Token
WS-Security 1.1
© 2005 IBM Corporation
© 2008 IBM Corporation
60
10,000 foot view of the Web services feature pack
WS-Addressing
WS-SecureConversation
WS-Trust
WS-ReliableMessaging
JAX-WS
MTOM
SOAP 1.2
StAX
WS-Security 1.1
Apache Axis2
SAAJ 1.3
Policy Sets
WS-I Reliable Secure Profile
JAX-B
31
© 2005 IBM Corporation
© 2008 IBM Corporation
61
WS-Reliable Messaging



EJB
container
- Useful in async
communication only –
req/resp is not recoverable
- lost messages if
messaging engine fails (or
stopped/ restarted)
- provider not supported in
WAS cluster or zOS
- lost messages if process
fails
Additional comments

Managed Persistent
recoverable, transactional, state managed by
messaging engine and protects against network loss,
server, and messaging engine failure

Managed Non-persistent
transactional, state managed by messaging engine
and protects against network loss

Unmanaged Non-persistent
non-transactional and provides resend for network
failure
Web
container
Client
container
Thin
client
Sender
App
RM
Message
Store
RM
Message
Store
Provider
App
SOAP / WS-RM
flows
Support for
 Feb 2005 WS-RM 1.0
 OASIS WS-RX WM-RM 1.1
Some interop
limitations
© 2005 IBM Corporation
© 2008 IBM Corporation
62
Security – what’s new?
 WS-I Reliable Secure Profile introduces WS-
SecureConversation
• Session-based Security for continuous message exchange
– Usage of WS-SecureConversation (WS-SC) and WS-Trust
– Leveraging symmetric cryptographic algorithm for performance
> Asymmetric cryptographic algorithm (RSA) is expensive
– Signature confirmation and Key material (derived key)
> Via standard uplift to OASIS WSS 1.1 scenario
 Complementing Session-based security with
Reliable Messaging Sequences
 Ability to use WS-Security from a thin-client
• Programmatic security configuration via an API
32
© 2005 IBM Corporation
© 2008 IBM Corporation
63
JAX-WS
 API abstracting details of Web services, WSDL, SOAP and XML
 Exploiting JSE 5 annotations to give simple programming model
@WebService public interface StockQuote {
public float getQuote(String sym);
}
@Stateless public class QuoteBean implements StockQuote {
public float getQuote(String sym) { ... }
}
Finer grained control with other annotations and parameters:
– @BindingType
– @SOAPBinding
– @WebMethod
– @OneWay
– @WebParam
– @WebFault
– @WebService(targetNamespace=“http:// …”, wsdlLocation=“…, …)
© 2005 IBM Corporation
© 2008 IBM Corporation
64
JAXB mapping
@XmlType
public class Trade {
@XmlElement(
name=”tickerSymbol”)
public String symbol;
@XmlAttribute
int getQuantity() {...}
void setQuantity() {...}
}
<xs:complexType
name=”trade”>
<xs:sequence>
<xs:element
name=”tickerSymbol”
type=”xs:string”/>
</xs:sequence>
<xs:attribute name=”quantity”
type=”xs:int”/>
</xs:complexType>
33
© 2005 IBM Corporation
© 2008 IBM Corporation
65
Web services: Qualities of Service and Policy Sets
 Goal:
– Simplify web services configuration – allow reuse of configuration
– Manage Qualities of Service (QOS) as a single entity
 QoS Definitions:
– Policy Type - A single cohesive type of QoS, defined by an XML Schema.
– Policy - A named, configured Policy Type, described by an XML instance.
– Policy Set - A named collection of Policies, pre-canned or user-defined.
 Services:
– Policy Sets are managed via the WAS Admin Console.
– Policy Sets are attached to service components by the container.
 Clients:
– Policy Sets are managed via the Eclipse platform.
– Policy Sets are attached to components via an “attachments” file.
– Ability to import and export Policy Sets between Eclipse and WAS is key.
© 2005 IBM Corporation
© 2008 IBM Corporation
66
Agenda
 Web services, the Vision
 Web services Terminology
 Standards
 WebSphere Feature Pack for Web Services
 Summary
– How difficult is this?
34
© 2005 IBM Corporation
© 2008 IBM Corporation
67
Summary: Do not be alarmed
XQuery, XACML, SOAP MTOM, XOP, SOAP with Attachments,
DIME, XForms, SOAP 1.1, SOAP 1.2, WSDL 1.1, WSDL 2.0,
UDDI 2.0, UDDI 3.0, SAML 1.0, SAML 2.0, BPEL4WS, XML
WS-Acknowledgement, WS-Federation, WS-Addressing, WS-
Agreement, WS-I18n, WS-Attachments, WS-Authorization, WS-
AtomicTransaction, WS-BusinessActivity, WS-CAF, WS-Callback,
WS-Coordination, WS-Eventing, WS-Events, WS-Inspection, WS-
Manageability, WS-Federation PassiveProfile, WS-
EndpointResolution, WS-MessageData, WS-MetadataExchange,
WS-Policy, WS-PolicyAssertions, WS-PolicyAttachment, WS-
Provisioning, WS-Privacy, EPAL, WS-Referral, WS-Reliability,
WS-ReliableMessaging, WS-RM Policy Assertion, WS-Routing,
WS-SecureConversation, WS-Polling, WS-Security 1.0,
WS-
Security 1.1
, WS-SecurityPolicy, WS-Transaction, WS-
TransmissionControl, WS-Trust, WS-Resource, WS-
ResourceProperties, WS-ResourceLifetime, WS-ServiceGroup,
WS-BaseFaults, WS-BaseNotification, WS-Topics, WS-
BrokeredNotification, WS-BPEL, WS-Choreography
Overwhelming
standards
landscape
Understandable in
terms of WS-I
profiles
Delivered in specific
product versions
Developer sees little of this complexity
– just use the chosen tool versions
Continued simplification of tooling,
programming model and administration
Standards are
addressing real
needs
Profiles yield
interoperability
© 2005 IBM Corporation
© 2008 IBM Corporation
68
35
© 2005 IBM Corporation
© 2008 IBM Corporation
69
Resources
 WS-I Reliable Secure Profile
http://www.ws-
i.org/deliverables/workinggroup.aspx?wg=reliablesecure
 JAX-WS 2.0
http://www.jcp.org/en/jsr/detail?id=224
 JAXB 2.0
http://www.jcp.org/en/jsr/detail?id=222
 Pattern Solutions
http://www-
128.ibm.com/developerworks/rational/products/patternsolutions/
 SOAP 1.2
http://www.w3.org/TR/soap/
 MTOM
http://www.w3.org/TR/2005/REC-soap12-mtom-20050125/
© 2005 IBM Corporation
© 2008 IBM Corporation
70
Resources (continued)
 OASIS WS-ReliableExchange
http://www.oasis-
open.org/committees/tc_home.php?wg_abbrev=ws-rx
 W3C WS-Addressing
http://www.w3.org/2002/ws/addr/
 OASIS WS-Security
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss
 WS-SecureConversation
http://www-128.ibm.com/developerworks/library/specification/ws-
secon
 WS-Transactions
http://www.alphaworks.ibm.com/wsspec/agreement/ws-tx
 Apache Axis2
http://ws.apache.org/axis2
36
© 2005 IBM Corporation
© 2008 IBM Corporation
71
© 2005 IBM Corporation
© 2008 IBM Corporation
72
Notices
This information was developed for products and services offered in the U.S.A.
Note to U.S. Government Users Restricted Rights — Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently
available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally
equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However,it is the user's responsibility to evaluate and verify the operation
of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send
license inquiries, in writing, to: IBM Director of Licensing, IBM Corporation, North Castle Drive Armonk, NY 10504-1785 U.S.A.
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION
PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-
INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this
statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the
publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are
not part of the materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products
and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the
suppliers of those products.
This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies,
brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental.
COPYRIGHT LICENSE:
This information contains sample application programs in source language, which illustrates programming techniques on various operating platforms. You may copy, modify, and distribute these
sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface
for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability,
serviceability, or function of these programs. You may copy, modify, and distribute these sample programs in any form without payment to IBM for the purposes of developing, using, marketing,
or distributing application programs conforming to IBM's application programming interfaces.
37
© 2005 IBM Corporation
© 2008 IBM Corporation
73
Trademarks
The following terms are trademarks of the International Business Machines Corporation in the United States, other countries, or both:
The following terms are trademarks of other companies:
Intel, Intel Inside (logos), MMX, and Pentium are trademarks of Intel Corporation in the United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or
both.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States,
other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
SET, SET Secure Electronic Transaction, and the SET Logo are trademarks owned by SET Secure Electronic Transaction LLC.
Other company, product, and service names may be trademarks or service marks of others.
Redbooks (logo)™
IBM eServer™
ibm.com® z/OS® zSeries® AIX® ClearCase® Cloudscape™ CICS® CICSPlex® DB2
Connect™ DB2® DFS™ DRDA® Informix® IBM® IMS™ MQSeries® MVS™
Perform™ Rational® RACF® S/390® SAA® TME® VTAM® WebSphere®
© 2005 IBM Corporation
© 2008 IBM Corporation
74
38
© 2005 IBM Corporation
© 2008 IBM Corporation
75
Web Services Feature Pack Support
Features
JCP-based programming model
– JAX-WS 2.0
– JAXB 2.0
– SAAJ 1.3
– StAX 1.0
Web Services Standards
– WS-I Reliable Secure Profile

WS-ReliableMessaging
• WS-SecureConversation
• WS-Addressing
• WS-I Basic Security Profile
• WS-I Basic Profile 1.0
– SOAP 1.2, MTOM / XOP
– WS-Transactions
– WS-Distributed management (WSDM)
Policy Sets
Benefits
Standardized (and portable)
application programming model
– Simple annotation based
– Fast pull parser based
– Asynchronous programming model
Standards-based Interoperability
w/other vendors implementations
– Securely
– Reliably
– Asynchronously
– Efficiently
– Transactionally
Standards-based Manageability
Administration Improvements
© 2005 IBM Corporation
© 2008 IBM Corporation
76
JAX-WS 2.0
 Java API for XML Web services.
 Successor to JAX-RPC 1.1.
 Maps WSDL <-> Java.
 Supports
– asynchrony.
– multiple data bindings
• JAX-B 2.0 - Preferred.
• SAAJ 1.3 (SOAPMessage).
• XML Source.
• Activation DataSource.
– Java SE 5.0 annotations (including
JSR 181)
– WSDL customizations.
– SOAP 1.1, SOAP 1.2, MTOM, WS-I
Basic Profile
 To be included in Java SE 6.
WSDL
<service>
<binding>
<portType>
<message>
Service
Interface
Proxy
Interface
Java
Intrinsics
JAX-B
Classes
Creates
Uses
Implementation
Implemented
by
Uses
WSImport
WSGen
39
© 2005 IBM Corporation
© 2008 IBM Corporation
77
JAXB
 Annotating XML Schema
– <jaxws:class>
– <jaxws:method>
 MTOM mappings supported
– Image
– MIME DataHandler
<Schema>
<Document>
Object
Class
Class
Class
Valid for
Instance of
Serialize
Deserialize
Bind
<Binding Declaration>
(optional)
© 2005 IBM Corporation
© 2008 IBM Corporation
78
Other programmatic enhancements
 Interoperate with Microsoft WCF (WsHttpBinding)
–SOAP 1.2, WS-Addressing, MTOM as chosen as the defaults
@WebService(serviceName="SOAP12Service", portName="SOAP12Port",
targetNamespace = "http://test.soap12.proxy",
endpointInterface = “a.b.SOAP12PortImpl”
wsdlLocation="WEB-INF/wsdl/soap12doclit.wsdl")
@BindingType(value=SOAPBinding.SOAP12HTTP_BINDING)
public class SOAP12PortImpl implements SOAP12Port {
 Allow long-running services to respond back with via a separate
connection
–i.e. Asynchronous Messaging on-the-wire
 Query the reliable messaging runtime to know whether or not the
message was sent (and acknowledgement received)
40
© 2005 IBM Corporation
© 2008 IBM Corporation
79
Packaging model
 Simple jar file packaging
– Provider side
• bundle JAX-WS “annotated” classes, WSDL, and XSD
schema within a WAR module
– Client side
• bundle JAX-WS “annotated” classes, WSDL, and XSD
schema within any J2EE module
– Thin client
• Place JAX-WS “annotated” classes , WSDL, and XSD
schema along with the stand-alone thin client web services
redistributable runtime
© 2005 IBM Corporation
© 2008 IBM Corporation
80
Web Services Standards Update in FP
 OASIS
– WS-ReliableExchange – WS-RX (Reliable Messaging)
• Officially approved as a standard – June 21, 2007
– WS-SecureExchange – WS-SX (WS-SecureConversation, WS-Trust)
• Officially approved as a standard – April 2, 2007
 WS-I Reliable Secure Profile
– Requirements and use case document are at Working Group Approval Draft
– Due to test/approval cycles – target final: 1Q 2009
 WS-I Basic Profile
– 1.2 (BP 1.1, WS-Addressing, MTOM for SOAP 1.1)
• Board Approval Draft on March 28,2008, and republished in Nov due to WS-A Metadata
• Target final: 1
st
half 2008
– 2.0 (BP 1.1, WS-Addressing, MTOM, SOAP 1.2, UDDI)
• Profile issue resolution close to complete
• Discussion on test scenarios starting
• WGAD approved Nov 2nd
• Target final: 2
nd
half 2008