Web Services New Hype or Real Use?

1
Web ServicesNew Hype or Real Use?

• Presented by
• Joseph J. Sarna Jr., MCSD
• JJS Systems, LLC

2
Agenda

• What are web services?
• How Do We Create or Use Web Services?
• Platform Comparisons
• Web Services Security
• Summary

3
What are Web Services?

• The next generation of applications designed for
  machine consumption
• Applications that can be called remotely via HTTP
  requests
• Language agnostic
• Can be called from any platform or client type
• Uses SOAP and XML as the transfer medium
• Allows passing of data through firewalls

4
Examples of Web Services

• Stock price retrieval
• Monetary Conversion
• Credit Card Validations
• Dictionary Service
• Language Conversion
• Purchase history retrieval
• Current inventory Retrieval
• Employee benefits updates

5
Agenda

• What are web services?
• How Do We Create or Use Web Services?
• Platform Comparisons
• Web Services Security
• Summary

6
How Do We Create or Use Web Services?

• What do we need as developers to
• Create a web service?
• Consume a web service?
• Especially if we need to communicate with
  different platforms and programming languages
• Standards!

7
World Wide Web Consortium Standards

• W3C Standards - http//www.w3.org/
• W3C Web Services Group-http//www.w3.org/2002/ws/
• W3C SOAP Group - http//www.w3.org/2000/xp/Group/
• W3C XML Group - http//www.w3.org/XML/

8
Requirements for Web Services Development

• A standard way to represent data
• A common, extensible, message format
• A common, extensible, service description
  language
• A way to discover services located on a
  particular Web site
• A way to discover service providers

9
Standard Representation of Data

• XML 1.0 defines the universally supported
  transfer syntax
• XML Schema defines XML's type system.
• Plain text transferred in a relational format

10
Common Message Format

• SOAP Simple Object Access Protocol
• A protocol specification that defines a uniform
  way of passing XML-encoded data. (Wrapper around
  the XML Data)
• Defines a way to perform remote procedure calls
  (RPCs) using HTTP as the underlying communication
  protocol.
• Submitted in 2000 to the W3C as a Note by IBM,
  Microsoft, UserLand, and DevelopMentor

11
Common Service Description Language

• WSDL Web Services Description Language
• Provides a way for service providers to describe
  the basic format of web service requests over
  different protocols or encodings.
• WSDL is a template for how web services should be
  described and bound to clients
• Fed-Ex Tracking WSDL

12
Method to Discover Services and Providers

• UDDI Universal Description, Discovery and
  Integration
• Provides a mechanism for clients to dynamically
  find other web services.
• A UDDI registry is established to allow
• Businesses to publish a service and its usage
  interfaces
• Clients to obtain services and bind
  programmatically to them.

13
Consuming Web Services
14
Agenda

• What are web services?
• How Do We Create or Use Web Services?
• Platform Comparisons
• Web Services Security
• Summary

15
Platform Comparisons - Service Description

• J2EE
• Supports WSDL
• Supports web services registries
• .NET
• Supports the WSDL 1.1 specification, however, an
  XML namespace is used within a WSDL document to
  uniquely identify the Web Service's endpoints.
• Supports Web services registries

16
Platform Comparisons - Service Implementation

• J2EE
• Existing Java classes and applications can be
  wrapped using the Java API for XML-based RPC
  (JAX-RPC) and exposed as Web Services.
• With J2EE, business services written as
  Enterprise JavaBeans are wrapped and exposed as
  Web Services.
• .NET
• .NET applications are compiled to an intermediate
  binary code called the Microsoft Intermediate
  Language (MSIL).
• This code is then compiled to native code using a
  Just In Time compiler (JIT) at run time and run
  in a virtual machine called the Common Language
  Runtime (CLR).

17
Service Publishing, Discovery and Binding

• J2EE
• Java API for XML Registries (JAXR) is a single
  general purpose API for interoperating with
  multiple registry types. There are three types of
  JAXR providers
• The JAXR Pluggable Provider, which implements
  features of the JAXR specification that are
  independent of any specific registry type.
• The JAXR Bridge Provider, which serves as a
  bridge to a class of registries such as ebXML or
  UDDI.
• .NET
• Discovery of Web Services with DISCO in the form
  of a discovery (DISCO) file, an XML document that
  contains links to other resources that describe
  the Web Service.
• Supports UDDI
• Provides a .NET UDDI server

18
Service Invocation and Execution

• J2EE
• J2EE uses the Java API for XML-based RPC
  (JAX-RPC) to send SOAP method calls to remote
  parties and receive the results.
• A Web Service client uses a JAX-RPC service by
  invoking remote methods on a service port
  described by a WSDL document.
• .NET
• Implementing a Web Service listener by
• Using the built in .NET SOAP message classes
• Constructing a Web Service listener manually,
  using MSXML, ASP, or ISAPI, etc.
• Using the Microsoft Soap Toolkit to build a Web
  Service listener that connects to a business
  application, implemented using COM.

19
Agenda

• What are web services?
• How Do We Create or Use Web Services?
• Platform Comparisons
• Web Services Security
• Summary

20
Web Services Security

• Three types of potential threats that need to be
  considered and addressed
• The SOAP message could be modified or read by
  hackers.
• A hacker could send messages to a service that,
  while well-formed, lack appropriate security
  claims to carry on the processing.
• Service theft
• Addressed by the WS-Security Standards of W3C

21
Message Security

• The specification only indicates that security
  tokens may be bound to messages.
• A claim can be either endorsed or unendorsed by a
  trusted authority with a signed security token
  that is digitally signed or encrypted by the
  authority.
• An unendorsed claim, on the other hand, can be
  trusted if there is a trust relationship between
  the sender and the receiver.
• One special type of unendorsed claim is
  Proof-of-Possession. For example, a
  username/password combination.

22
Message Protection

• WS-Security provides a means to protect messages
  by encrypting and/or digitally signing a body, a
  header, an attachment, or any combination of
  these items.
• Message integrity is provided by using XML
  Signature in conjunction with security tokens to
  ensure that messages are transmitted without
  modifications.
• Message confidentiality leverages XML Encryption
  in conjunction with security tokens to keep
  portions of a SOAP message confidential.

23
Missing or Inappropriate Claims

• The standards specify that a message receiver
  should reject a message with an invalid
  signature, or missing or inappropriate claims, as
  if it is an unauthorized (or malformed) message.

24
Agenda

• What are web services?
• How Do We Create or Use Web Services?
• Platform Comparisons
• Web Services Security
• Summary

25
Summary

• Hype?
• Still a ways to go for mainstream use.
• Security still needs work.
• Real Use?
• Informational services available now, some free,
  some fee.
• Internal web services (Intranets) possible now.
• Security via SSL or VPN available now.

26
New Hampshire User Groups

• Manchester Java User Group Second Wednesday of
  the month SNHU campus http//www.manjug.org
• NE C User Group Second Thursday of the month
  SNHU campus http//www.csharp.4square.us/
• NH .NET User Group Third Thursday of the month
  BU Training Center, Tyngsboro, MA -
  http//www.nhdnug.net/
• NH VB User Group Fourth Wednesday of the month
  SNHU campus http//www.nhvbug.com