web services advanced topics - software...
TRANSCRIPT
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 1
Web Services Advanced Topics:Beyond SOAP, WSDL, and UDDI
Kelvin R. LawrenceDistinguished Engineer & CTO Dynamic e-business TechnologyIBM Software Group, Austin, [email protected]
NOTE: This is a fast moving area and updated slides may be used in the actual presentation. The updated slides will
be on the post conference CD
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 2
NewAbout Updated SlidesInserted slides are marked “ “
Modified slides are marked “ “
This version of the slides will be on the post conference CD.
New
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 3
AgendaAn overview of several new technologies for Web Services:
The Web Services “stack” of technologiesWeb Services Security (covered in detail in my other session) Web Services PolicyTrust and long running secure conversationsWeb Services FederationWeb Services Reliable MessagingBusiness Process Execution LanguageWeb Services Interoperability
Note: subjects listed in Bold Font are presented in more depth than the others.
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 4
What’s New with SOAP and UDDIW3C publishes SOAP 1.2 Recommendation
June 2003“Recommendation” status means finished, effectively a standardSpecs available at http://w3.org:
• SOAP Version 1.2 Part 0: Primer• SOAP Version 1.2 Part 1: Messaging Framework• SOAP Version 1.2 Part 2: Adjuncts
UDDI 2.0 declared an OASIS StandardSpecs available at http://oasis-open.org
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 5
The Web Services “Stack”
WS-Policy
WS-Security family of
specifications
WS-ReliableMessaging
UDDI
Qualityof Service
Messagingand Encoding
Transport
BusinessProcesses
Other protocolsOther services
Business Process Execution Language
Descriptionand DiscoveryWSDL
SOAP, SOAP Attachments
XML, XML Infoset
Transports
WS-Coordination
WS-Transactions
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 6
Technologies Discussed in This Presentation
WS-Policy
WS-Security family of
specifications
WS-ReliableMessaging
UDDI
Qualityof Service
Messagingand Encoding
Transport
BusinessProcesses
Other protocolsOther services
Business Process Execution Language
Descriptionand DiscoveryWSDL
SOAP, SOAP Attachments
XML, XML Infoset
Transports
WS-Coordination
WS-Transactions
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 7
Namespaces and Web Services Specifications
The composable and extensible Services Oriented Architecture built on Web services technologies is managed by way of XML Namespaces that identify the vocabulary that defines a given element.The abbreviations are arbitrary; yet there are conventional abbreviations that we use here.
S: SOAP 1.2 envelope elementshttp://www.w3.org/2002/06/soap-envelope
wsse: WS-Security SOAP envelope extensionshttp://schemas.xmlsoap.org/ws/2003/07/secext
wsu: Web services utility extensionshttp://schemas.xmlsoap.org/ws/2002/07/utility
wsp: WS-Policy extensionshttp://schemas.xmlsoap.org/ws/2002/12/policy
wsrm: WS-Reliable Messaging extensions
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 8
WS-Securityhttp://oasis-open.org/committees/download.php/1204/doc-index.html
Descriptionand DiscoveryWS-Policy
WS-ReliableMessaging
UDDI
Messagingand Encoding
Transport
BusinessProcesses
Other protocolsOther services
Business Process Execution Language
WSDL
SOAP, SOAP Attachments
XML, XML Infoset
Transports
WS-Coordination
WS-Transactions
WS-Security Qualityof Service
WS-SecurityPolicy WS-Privacy
WS-SecureConversation WS-Authorization
X509profile
Kerberosprofile
XrMLprofile
Usernameprofile
XCBFprofile
SAMLprofile
WS-Security (framework)
WS-Trust
WS-Federation
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 9
Why HTTPS Is Not Enough for Web Services
HTTPS is protocol-level securityPoint-to-point: lasts only for duration of the connectionDoes not secure solutions that use other protocols (JMS, MQ)“All or nothing” encryption onlyWeak integrity conceptDoes not support other security mechanisms
FIRE
WAL
L
Back endApplication
"SECURE"
HTTPS to JMS
Gateway
HTTPS securitystops here
SECURE?
Internet
BusinessPartner
SECURE?
Internet
ServiceRequester
App
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 10
Security Considerations with SOAP Messaging
How to include security credentials in the messageHow to use element-wise encryption: expose some parts for routing, hide critical data from unauthorized partiesHow to use digital signaturesSecurity must persist from originator to processing end-point, for the life of the transactionSecurity survives call to external business partnerUse with, or instead of, protocol-level security
FIR
EW
ALL
Back endApplication
IntranetInternetService
RequesterApp
Gateway
credentialsSOAP message
BusinessPartner
Internet
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 11
WS-Security: SOAP Message Security
A foundational set of SOAP message extensions for building secure Web servicesDefines SOAP usage for several popular security technologies in message-level security:
• Kerberos, Public Key Encryption, HTTPS, IPSEC, XrML• XML Signature, XML Encryption, XKMS from W3C• SAML, XACML from OASIS• Six new and planned specifications
Goals:Enable enterprises to protect their investments and assets as business processes become Web servicesSame-domain and cross-domain secure messagingPlatform-neutral interoperabilityEnd-to-end securityExtensibility
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 12
WS-Security: SOAP Message Security
Flexible, composable specificationDesigned to be used as basis for securing Web servicesWide variety of security models including PKI, Kerberos, and SSL
Provides support for Multiple security token formatsMultiple trust domainsMultiple signature formatsMultiple encryption technologies
This specification replaces and extends earlier worke.g. the IBM/Microsoft W3C "SOAP-Sec" Note (January 2001) is now obsolete
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 13
Resources: SecurityLatest WS-Security specifications are available on http://oasis-open.org
Incorporates errata, includes changes from working group
Other specs are available on http://ibm.com/developerworksSearch for WS-Security to get the entire list
Whitepaper: “Web Services Security: Moving up the stack“http://ibm.com/developerworks/webservices/library/ws-secroad/Published December, 2002
Original plan for WS-Policy is described in the WS-Security Roadmaphttp://ibm.com/developerworks/webservices/library/ws-secmap/Published April, 2002. Differs somewhat from specifications, which are the definitive source of information
Full-length presentation on WS-Security:Visit http://ibm.com/developerworks/speakers/colan
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 14
WS-Policy: Web Services Policy Framework
WS-Security WS-ReliableMessaging
UDDI
Qualityof Service
Messagingand Encoding
Transport
BusinessProcesses
Other protocolsOther services
Business Process Execution Language
WSDL
SOAP, SOAP Attachments
XML, XML Infoset
Transports
WS-Coordination
WS-Transactions
WS-Policy Descriptionand Discovery
WS-PolicyAttachments
WS-SecurityPolicy
WS-PolicyAssertions other policies
WS-Policy(framework)
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 15
What Is a Policy?A policy is a set of capabilities, requirements, preferences, and general characteristics about entities in a systemThe elements of a policy (policy assertions) can express:
Security requirements or capabilitiesVarious Quality of Service (QoS) characteristicsAny other kinds of policies that are required
WS-Policy defines a general purpose, extensible model and grammar (“framework”) for describing policies in a Web services system
Simple, declarative policiesMore complex, conditional policies
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 16
WS-Policyhttp://ibm.com/developerworks/webservices/library/ws-polfram
WS-PolicyAttachments
WS-SecurityPolicy
WS-PolicyAssertions other policies
WS-Policy(framework)
WS-Policy defines the framework for policy definition
The container element <Policy>The organizing operator elementsThe “Preference” and “Usage” concepts / attributesAn inclusion / reuse mechanism
WS-Policy does NOT define:Any specific policy assertions. These are defined by WS-PolicyAssertions, WS-SecurityPolicy, others yet to be inventedThe binding to a policy subject. This is defined in WS-PolicyAttachment.
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 17
Policy Example: Security and Authentication Options
<wsp:Policy xmlns:wsse="..." xmlns:wsp="..."><wsp:ExactlyOne>
<wsse:SecurityToken TokenType="wsse:Kerberosv5TGT“wsp:Usage="wsp:Required“wsp:Preference="100"/>
<wsse:SecurityToken TokenType="wsse:X509v3“wsp:Usage="wsp:Required“wsp:Preference="1"/>
</wsp:ExactlyOne></wsp:Policy>
Meaning:A valid request can contain any of one the two SecurityTokensKerberos and X509 are supported authentication tokensKerberos is preferred over X509
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 18
Policy Terminology<wsp:Policy xmlns:wsse="..." xmlns:wsp="..."><wsp:ExactlyOne>
<wsse:SecurityToken TokenType="wsse:Kerberosv5TGT“wsp:Usage="wsp:Required“wsp:Preference="100"/>
<wsse:SecurityToken TokenType="wsse:X509v3“wsp:Usage="wsp:Required“wsp:Preference="1"/>
</wsp:ExactlyOne></wsp:Policy>
Policy assertion: a preference, requirement, capability or other property
Policy statement: a group of policy assertions
Policy expression: a representation of one or more policy statements
A policy subject is an entity (e.g. an endpoint, object, or resource) to which a policy can be bound (see WS-PolicyAttachment).
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 19
Policy Operators<wsp:Policy xmlns:wsp="..." xmlns:wsse="..."><wsp:ExactlyOne> <wsp:All wsp:Preference="100"/> <wsse:SecurityToken TokenType="wsse:Kerberosv5TGT" /> <wsse:Algorithm Type="wsse:AlgSignature“
URI=“http://www.w3.org/2000/09/xmlenc#aes"/> </wsp:All><wsp:All wsp:Preference="1"/><wsse:SecurityToken TokenType="wsse:X509v3" /><wsse:Algorithm Type="wsse:AlgEncryption“
URI="http://www.w3.org/2001/04/xmlenc#3des-cbc"/></wsp:All>
</wsp:ExactlyOne></wsp:Policy>
Operators can be ExactlyOne, OneOrMore, or All. In this example:The primary operator ExactlyOne is a policy statementThe subordinate operator All groups two related policy assertions
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 20
Policy Preferences<wsp:Policy xmlns:wsp="..." xmlns:wsse="..."><wsp:ExactlyOne><wsp:All wsp:Preference="100"/> <wsse:SecurityToken TokenType="wsse:Kerberosv5TGT" /> <wsse:Algorithm Type="wsse:AlgSignature“
URI=“http://www.w3.org/2000/09/xmlenc#aes"/> </wsp:All><wsp:All wsp:Preference="1"/><wsse:SecurityToken TokenType="wsse:X509v3" /><wsse:Algorithm Type="wsse:AlgEncryption“
URI="http://www.w3.org/2001/04/xmlenc#3des-cbc"/></wsp:All>
</wsp:ExactlyOne></wsp:Policy>
The Preference attribute indicates the preferred policy assertions among the listed choices.
Larger numbers are preferred
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 21
Policy Usage<wsp:Policy xmlns:wsse="..." xmlns:wsp="..."><wsp:ExactlyOne>
<wsse:SecurityToken TokenType="wsse:Kerberosv5TGT“wsp:Usage="wsp:Required“wsp:Preference="100"/>
<wsse:SecurityToken TokenType="wsse:X509v3“wsp:Usage="wsp:Required“wsp:Preference="1"/>
</wsp:ExactlyOne></wsp:Policy>
The Usage attribute specifies how the assertion is usedRequired – assertion must be applied to the subject; if not supported, fail.Rejected – assertion is not allowed. If present, fail.Optional – assertion may be made, but may not be appliedObserved – assertion is applied, and requesters are informed that it is appliedIgnored – assertion is processed, but ignored, and requestors are informed.
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 22
Policy Inclusion<wsp:Policy wsu:Id="audit" xmlns:wsu="..." xmlns:wssx="...">
<wssx:Audit wsp:Usage="wsp:Observed"/></wsp:Policy>
<wsp:Policy xmlns:wsse="..."><wsp:PolicyReference URI="#audit"/><wsse:SecurityToken TokenType="wsse:X509v3“
wsp:Usage="wsp:Required"/>
</wsp:Policy>
<wsp:PolicyReference> allows assertions to be shared among policy expressions. It includes the content of one policy expression in another expression. In this example:
the wsu:ID attribute defines a reference to the <wssx:Audit> elementthe <wssx:Audit> element effectively replaces the <wsp:PolicyReference> element in the policy statement.
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 23
Reusing a Portion of a Policy<wsp:Policy xmlns:SecurityNS="..." xmlns:cus="...">
<cus:Assert1><wsp:ExactlyOne wsu:Id="options">
<cus:Option1 wsp:Usage="wsp:Required" /><cus:Option2 wsp:Usage="wsp:Required" /><cus:Option3 wsp:Usage="wsp:Required" />
</wsp:ExactlyOne ></cus:Assert1><cus:Assert2>
<wsp:PolicyReference URI="#options"/></cus:Assert2>
</wsp:Policy>
The identification mechanism for <wsp:PolicyReference> can also be used with operator elements. In this example:
the wsu:ID attribute defines a reference to the <wsp:ExactlyOnce> groupthe < wsp:ExactlyOnce > group effectively replaces the <wsp:PolicyReference> element in the policy statement.
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 24
WS-PolicyAttachments
WS-Security WS-ReliableMessaging
UDDI
Qualityof Service
Messagingand Encoding
Transport
BusinessProcesses
Other protocolsOther services
Business Process Execution Language
WSDL
SOAP, SOAP Attachments
XML, XML Infoset
Transports
WS-Coordination
WS-Transactions
WS-Policy Descriptionand Discovery
WS-SecurityPolicy
WS-PolicyAssertions other policies
WS-Policy(framework)
WS-PolicyAttachments
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 25
WS-PolicyAttachment Specificationhttp://ibm.com/developerworks/webservices/library/ws-polatt/
Defines means of associating a policy expression with one or more subjects or resources:
arbitrary XML element(s) (policy is defined as part of the definition of the subject)arbitrary non-XML resource(s) (policy is externally bound)
Describes the use of these mechanisms with WSDL and UDDI artifacts: How to reference policies from WSDL definitions
• Messages and PortTypes
How to associate policies with specific instances of WSDL services• Services and Ports
How to associate policies with UDDI entities• businessService and bindingTemplate
How to define a policy expression in a UDDI registry as a tModel
Such bindings need to be able to be secured (so they can be trusted)
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 26
WS-PolicyAssertions
WS-Security WS-ReliableMessaging
UDDI
Qualityof Service
Messagingand Encoding
Transport
BusinessProcesses
Other protocolsOther services
Business Process Execution Language
WSDL
SOAP, SOAP Attachments
XML, XML Infoset
Transports
WS-Coordination
WS-Transactions
WS-Policy Descriptionand Discovery
WS-SecurityPolicy other policies
WS-Policy(framework)
WS-PolicyAttachments
WS-PolicyAssertions
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 27
WS-PolicyAssertionshttp://ibm.com/developerworks/webservices/library/ws-polas
Defines a set of basic assertions for describing general processing semantics for Web services:
Types of text encodings that are allowed, rejected, required, preferredNatural languages that are allowed, rejected, required, preferredWeb services specifications and version numbers to which the subject conformsEnsure that a message conforms to a given pre-conditionExamples:
• policy-assertions-language.xml• policy.xsd
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 28
NewWS-SecurityPolicyhttp://www.ibm.com/developerworks/webservices/library/ws-secpol/
Defines a set of assertions that are typical when dealing with issues of security.Includes assertions for:
SecurityToken• Example: I will only accept certain token types (e.g. SAML, X.509).
Integrity• Example: Message must be signed and must use specific algorithms.
Confidentiality• Example: I require a specific encryption algorithm be used.
MessageAgeBuilds upon the WS-Policy framework.Example:
Policy-expression.xml
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 29
Resources: PolicyAll specs are available on http://ibm.com/developerworks
Search for WS-Policy to get the entire list
Whitepaper: “Web Services Security: Moving up the stack“http://ibm.com/developerworks/webservices/library/ws-secroad/Published December, 2002
Original plan for WS-Policy is described in the WS-Security Roadmap
http://ibm.com/developerworks/webservices/library/ws-secmap/Published April, 2002. Differs somewhat from specifications, which should be considered the definitive source of information.
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 30
NewEstablishing “Trust”Trust is the characteristic that one entity is willing to rely upon a second entity to execute a set of actions and/or to make set of assertions about a set of subjects and/or scopes.Direct trust is when a relying party accepts as true all (or some subset of) the claims in the token sent by the requestor.Direct Brokered Trust is when one party trusts a second party who, in turn, trusts or vouches for, a third party.Indirect Brokered Trust is a variation on direct brokered trust where the second party negotiates with the third party, or additional parties, to assess the trust of the third party.
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 31
WS-Trusthttp://www.ibm.com/developerworks/webservices/library/ws-trust/
New
Builds upon WS-Security by adding:A Web Services “trust model”Describes methods for • Issuing and exchanging security tokens• Issuing and responding to challenges as necessary
(challenge response protocol).
Examples: • WS-Trust spec (trust model diagram)• Token request and response elements
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 32
WS-SecureConversationhttp://www.ibm.com/developerworks/library/ws-secon/
New
Building upon WS-Trust, allows a long running, secure context to be established.
Defines how contexts are establishedSpecifies how derived keys are generated
Participants establish a shared context in one of three ways:
A security token service creates a “context token”One party creates and propagates a tokenThrough defined negotiation protocols
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 33
WS-Federationhttp://ibm.com/developerworks and other Web sources
Qualityof Service
Descriptionand DiscoveryWS-Policy
WS-ReliableMessaging
UDDI
Messagingand Encoding
Transport
BusinessProcesses
Other protocolsOther services
Business Process Execution Language
WSDL
SOAP, SOAP Attachments
XML, XML Infoset
Transports
WS-Coordination
WS-Transactions
WS-SecurityPolicy WS-Privacy
WS-SecureConversation WS-Authorization
X509profile
Kerberosprofile
XrMLprofile
Usernameprofile
XCBFprofile
SAMLprofile
WS-Security (framework)
WS-Trust
WS-Federation
WS-Security
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 34
WS-Federation – What Is It?A federation is a collection of security realms (e.g. partner organizations) that have established trust to share security information about users belonging to the realms, such as:
IdentificationAuthenticationAttributesAuthorization
WS-FederationBuilds upon WS-Security, WS-Trust and WS-SecureConversationCan share this data using different or like mechanismsDefines mechanisms for the brokering of trust and for security token exchange between trust domainsDoes not require local identities at target servicesOptionally allows hiding of identity info and other attributesDefines attribute and pseudonym services
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 35
WS-Federation – PurposeSuppose
A value network is composed of various organizations, systems, applications, and business processes.Participants include customers, employees, partners, suppliers, and distributorsThere is no single entity for identity, authentication, authorization, etc., because the cost of centralized identity management is high. Instead, there may be several such entities.We need to manage security across multiple trust domains and among multiple business partners using multiple identity authorities.
WS-Federation is a specification to solve this and other problems.
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 36
WS-FederationOther applications:
Single-sign-on for users – don’t have to present new credentials (e.g. a username and password) when entering a new trust domainMultiple identity formats including pseudonymsProvision users between organizationsProvision services between organizationsPolicy-driven trust managementSingle sign-out
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 37
WS-Federation Builds on Other Security Technologies
WS-Federation is not intended as a complete security solution.Instead, it builds on other Web services technologies:
WS-Policy specs can be used to indicate that a Web service requires a set of claims (security tokens and related message elements) in order to process an incoming requestWS-Trust mechanisms can be used by the requester to acquire additional security tokens it may requireWS-Security (WSS-SOAP Message Security) defines SOAP extensions used to provide security tokens
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 38
Security Token ServicesA generic service that issues or exchanges security tokens using a common model and set of messages.
Follows the WS-Trust specification.May be part of requester organization, provider organization, or a third party trusted by both of these.
Common functions:Verify credentials for entrance to a security realmEvaluate the trust of supplied security tokensIdentity Provider – performs peer entity authentication and can make identity claims in issued security tokens
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 39
A Simple Direct Trust Federation Scenario
Security tokens from Requester’s organization are used
SecurityToken Service
SecurityToken(s)
ServiceRequester
SecurityToken(s)
SecurityToken Service
SecurityToken(s)
ServiceProvider
Policy
TRUST
Requester’s organization
Provider’s organization
SecurityToken(s)
to acquire security tokens from Provider’s organization
which are required by the provider for the service request message.
The requester’s token is exchanged, stamped, or cross-certified by provider’s Security Token Service.
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 40
Another Direct Trust Federation Scenario
Security tokens from Requester’s organization are
The service uses its Security Token Service to understand and validate the requester’s security token.
sent directly to provider’s service.
SecurityToken Service
SecurityToken(s)
ServiceRequester
SecurityToken(s)
SecurityToken Service
SecurityToken(s)
ServiceProvider
Policy
TRUST
Requester’s organization
Provider’s organization
SecurityToken(s)
The validation response is sent as a security token which includes authentication and authorization data.
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 41
Federation Scenario with Indirect Trust
There may not be a direct trust relationship between requester and provider organizations.
In that case, the two organizations may choose to use a trusted third party to establish and confirm trust for the transaction.
The provider asks the third party to verify the security token
The third party contacts the requester to verify the security token
Steps 1, 2, and 5 are as before.
SecurityToken Service
SecurityToken(s)
ServiceRequester
SecurityToken(s)
SecurityToken Service
SecurityToken(s)
ServiceProvider Policy
Requester’s organizatio
n
Provider’s organizatio
n
SecurityToken(s)
Third-party Security Token Service
SecurityToken(s)
TRU
STPolicy
TRU
ST
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 42
Multi-party FederationThere might be several organizations involved in a business process, with multiple trust realms. Steps 4 and 5 are the same as 2 and 3, except they are for a different transaction from a different provider.
SecurityToken Service
ServiceRequester
SecurityToken Service
ServiceProvider
TRUST
Requester’s organization
Provider 2
SecurityToken Service
ServiceProvider
Provider 1
TRUST
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 43
DelegationA Web service provider may need to access another Web service onbehalf of a requester. The delegator provides security tokens to allow or indicate proof of delegation. There are other possible variations on this scenario.
SecurityToken Service
ServiceProvider
SecurityToken Service
ServiceProvider
TRUST
Delegator’sorganization
Provider 2
SecurityToken Service
ServiceRequester
Requester’s organization
TRUST
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 44
Attributes and PseudonymsPrivacy protection may require additional controls and mechanisms:
To provide access control on any private informationTo prevent unwanted correlationTo automatically map identitiesSharing of data between authorized parties
WS-Federation defines mechanisms to supportAttribute services to personalize the experience using restricted information (subject to authorization and privacy rules)Pseudonym services to facilitate single sign-on with automatic mapping of identities while keeping identity private
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 45
Resources: WS-Federationhttp://ibm.com/developerworks/webservices
Federation of Identities in a Web services world
Overview of goals and technologies
Web Services Federation LanguageThe specification itself
WS-Federation: Active Requestor ProfileWS-Federation: Passive Requestor Profile
These specs define how the WS-Federation model is applied to active and passive requestors
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 46
WS-ReliableMessaging
WS-Policy
WS-Security
UDDI
Qualityof Service
Messagingand Encoding
Transport
BusinessProcesses
Other protocolsOther services
Business Process Execution Language
WSDL
SOAP, SOAP Attachments
XML, XML Infoset
Transports
WS-Coordination
WS-Transactions
Descriptionand Discovery
WS-ReliableMessaging
WS-MetadataExchange
WS-ReliableMessaging
WS-Addressing WS-TransmissionControl
WS-EndpointResolution
Planned
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 47
WS-RM: Web Services Reliable Messaging
Goal: Reliable message exchange in the presence of software component, system, or network failures.Errors in transmission may disrupt a conversation
Messages can be lost, duplicated, or arrive in a different order than they were sentHost systems may fail and lose volatile state
Reliable messaging means:A message is delivered exactly onceMessages are delivered in the same order they are sentWhen this is not possible, a fault is raised on the Initial Sender, or the Ultimate Receiver, or both
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 48
WS-ReliableMessaging: Features
WS-RM (WS-ReliableMessaging) defines:A messaging protocol to identify, track, and manage reliable delivery between a source and a destination.Defines a SOAP binding for interoperability
WS-RM is extensible:Bindings for other protocols may also be definedAdditional functionality (e.g. security) can be tightly integrated
WS-RM integrates with and complements other specsIntegrating WS-RM and WS-Security yields secure and reliable message exchangeWS-RM uses the WS-Policy specifications for defining and attaching reliable messaging policy assertions
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 49
The Reliable Messaging Model
RequesterApp
Source(e.g. sender’s
platform)
Destination(e.g. receiver’s
Platform)
ProviderApp
Send
Transmit
Deliver
Acknowledge
Requester App sends a message for reliable deliverySource transmits the message (one or more times)Destination receives and acknowledges the messageDestination delivers the message to the Provider App
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 50
Setup for Reliable MessagingThere are three requirements that must be satisfied prior to using Reliable Messaging:
1. Source must resolve Destination’s endpoint reference2. Source must obtain Destination’s policies, if any, and
send messages that conform to these requirements3. A security context must be set up if required
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 51
ExampleThe Source labels messages with a <Sequence>:
Constructs a unique sequence group id (e.g. “http://fabrikam123.com/abc”)Sends first message with id and sequence number 1Sends second message with id and sequence number 2Sends third message with id and sequence number 3, along with a token to indicate that this is the last message of the sequence
The <Sequence> element looks like this for the third message:
<wsrm:Sequence ...><wsu:Identifier>http://fabrikam123.com/abc</wsu:Identifier><wsrm:MessageNumber>3</wsrm:MessageNumber><wsrm:LastMessage/><wsu:Expires> [dateTime] </wsu:Expires> (optional)
</wsrm:Sequence>
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 52
Example (Continued)
Suppose message 2 is lost or delayed. The Destination:Receives message 1Receives message 3Acknowledges receipt of messages 1 and 3, like so:
<wsrm:SequenceAcknowledgement ...>
<wsu:Identifier>http://fabrikam123.com/abc</wsu:Identifier><wsrm:AcknowledgementRange Lower=“1" Upper=“1“/><wsrm:AcknowledgementRange Lower=“3" Upper=“3“/>
<wsrm:SequenceAcknowledgement>
Notes:The <AcknowledgementRange> indicates a range of received messages, from a lower number to an upper numberMore than one <AcknowledgementRange>s can be used when there are gaps in the sequence of received message (as here)
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 53
Example (Continued)
The Source:Receives acknowledgement for messages 1 and 3Decides to resend message 2 with same sequence group ID, along with a tag requesting immediate acknowledgement
The Destination:Receives re-sent message 2, sends acknowledgement
The Source receives the acknowledgement. The sequence is now complete.Meanwhile:
Destination later receives the lost copy of message 2Destination identifies and drops duplicate message (sequence id and number were retained to detect duplicates).
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 54
Reliable Messaging Policy Assertions
WS-RM defines a set of policy assertions for use with the WS-Policy framework specification
DeliveryAssurance assertion: AtMostOnce, AtLeastOnce, ExactlyOnce, and InOrder are possible valuesExpires assertion: specify a dateTime indicating expiration of a sequence groupInactivityTimeout assertion: specify an interval as milliseconds, after which a retry may be attemptedRetransmissionInterval: how often retries will be attemptedExponentialBackoff: modifies retry algorithmwsp:SpecVersion policy assertion from WS-PolicyAssertionswsp:Usage=”…” from WS-PolicyAssertions for other assertions
WS-PolicyAttachment may be used to associate a policy with a <Sequence>
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 55
Fault Management<SequenceFault>, used with the SOAP fault mechanism, signals specific exceptions in reliable message processingSome fault codes:
wsrm:SequenceTerminatedwsrm:UnknownSequencewsrm:InvalidAcknowledgementwsrm:MessageNumberRollover (message number overflows unsigned long)wsrm:LastMessageNumberExceeded (message number is greater than number of previously received message that was marked “LastMessage”)wsrm:SequenceRefused (can’t start requested sequence)
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 56
Security ConsiderationsWS-RM recommends use of WS-Security when security is required
The <wsrm:Sequence> header needs to be signed with the body in order to "bind" the two together<wsrm:SequenceAcknowlegement> header MAY be signed independently (this reply, independent of the message, may not be a security concern)Because Sequences commonly exchange a number of messages, it is recommended that a security context be established using WS-Trust and WS-SecureConversation
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 57
Resources: Reliable MessagingAvailable on http://ibm.com/developerworks/webservices
Specs for WS-ReliableMessaging, WS-Policy, and WS-SecurityWhitepaper: “Reliable Message Delivery in a Web Services World”. Overview and roadmap discussing WS-RM, WS-Addressing, and planned specifications WS-TransmissionControl, WS-MetadataExchange, and WS-EndpointResolutionNew Whitepaper: “Implementation Strategies for WS-ReliableMessaging”, also on developerworks
A balanced (non-IBM) perspective on the comparison of WS-RM vs. WS-Reliability, by David Chappel:
http://xml.coverpages.org/ChappellReliability20030313.html
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 58
Business Process Execution Language (BPEL)
Qualityof ServiceWS-Security
Descriptionand DiscoveryWS-Policy
WS-ReliableMessaging
UDDI
Messagingand Encoding
Transport
Other protocolsOther services
WSDL
SOAP, SOAP Attachments
XML, XML Infoset
Transports
WS-Coordination
WS-Transactions
BusinessProcessesBusiness Process Execution Language
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 59
Requirements for Business Processes
We need a model for describing simple or complex exchanges that characterize business partner interactions
Stateful, long-running interactions involving two or more partiesSequences of peer-to-peer message exchanges
• Synchronous exchanges• Asynchronous exchanges
with correlation
Public Processes
Private Processes
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 60
WSDL Provisions for Web Services
Organizes Web services interfaces as“Port types” – groups of related operationsThe operations themselves
Defines Web services as A stateless interaction model of Individual peer-to-peer message exchanges
• Synchronous exchanges or• Uncorrelated asynchronous exchanges Port Type
operations
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 61
Separation of WHAT from HOWBusiness Process: what to do
A sequence of activities models a business processIT provides tools to allow business people to define, monitor, and manage business processes
WSDL: how to execute activities An activity can be a Web service, defined by a SOAP interface and a WSDL description; internal, or from a business partnerA business process can be externalized as an activity for a client app or another business process Application
WSDL:HOW
C
E
BusinessProcess:
WHAT
A
D
B
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 62
IBM WebSphere Studio Application Developer Integration Edition for Linux and Windows, V5
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 63
The BPEL4WS Specificationhttp://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wsbpel
A model for describing simple or complex exchanges that characterize business partner interactions
Use standard Web services to invoke partner’s processExpose resulting business process as a Web serviceDefine control elements for workflowCreate a fully-executable, portable script
Began as technology proposal by IBM, BEA, and MicrosoftVersion 1.0 published in August 2002Version 1.1 published in April 2003A merger of IBM’s WSFL and Microsoft’s XLangSubmitted to OASIS BPEL TC Builds on and extends XML and Web Services specificationsExpressed in XMLUses and extends WSDLWSDL and XML Schema for data modelXPath for assignments, conditions, etc.
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 64
Web Services and Choreography
Port type
1
2
3
A
CB
DE
Activities
Port type
Port type
Port type
RE
QU
ES
TER
A Business ProcessIs composed of choreography elements (“activities”) to define behaviorActivities include ability to invoke Web services, control flow, etc.Resulting business process is exposed as one or more Web services
The BPEL model describes:Operation sequencing constraints Service Behavior (ordered activities) Service identity managementDynamic partner and service selection
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 65
BPEL and PortabilityA BPEL script will run on any BPEL-compliant engine, so it’s platform- and vendor-neutral
Create with your favorite BPEL Modeling Tool
BPEL Execution
Environment
BPEL Modeling
Tool
BPEL Modeling
Tool
BPEL Modeling
Tool
BPEL Execution
Environment
BPEL Execution
Environment
BPEL Model
Run on any BPEL-compliant platform
Port type
1
2
3
A
CB
DE
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 66
Handling an Incoming RequestThe <receive> activity
Specifies partner, port type, operation it expects to receiveDoes a blocking waitWakes up when the specified message is receivedProceeds to next activityOptionally specifies that a new BP instance should be created on receiving the message
The <reply> activitySpecifies same partner, port type, and operation as <receive>Sends the response messageProceeds to next activity
Note: this is the synchronous modelAsynch model discussed on next page.
Buyer
<process>
Port type
OtherActivities
<reply>
A
B
Seller’s Business Process
<partner>link
<receive>
operation
A
B
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 67
Invoking a Web ServiceA partner can invoke a service from another partner using SOAP and WSDL.Two models:Synchronous
<invoke> sends a message and the protocol waits for the response
Asynchronous<invoke> sends a message and the BPEL engine waits for a response on the “callback” operation
Q
P
Seller
<process>
Port type
<invoke>(synchronous) P
<invoke>(asynchronous)
Buyer’s Business Process
Seller’sBusiness
Processes
<partner>links
“callback”operation
<receive>
<reply>
<receive>
<invoke>
Q
Note: services that are invoked can be ordinary Web services or other business processes.
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 68
The <sequence> and <flow> Activities
<sequence> activities run one at a time in the order they are listed
A<sequence>
B
<flow> activities run concurrently
The flow activity does not complete until all its activities complete (synchronization)Flow branches are often <sequence>s
A B
<flow>
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 69
Combining Flows and Sequences<flow>s and <sequence>s can nest to any required depth
A <sequence> can contain <flow>sA <flow> can contain <sequence>sActivities link other Business Processes or Web services
Port type<process>
<sequence>
<flow>
<receive>
<reply>
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 70
Cross-dependenciesA <link> can be used to alter the behavior of a <flow>, crossing the boundaries of <sequence> and <flow> as required.In this example:
X is declared as the sourceof the linkY is declared as the target of the linkWhen X completes, the link becomes “activeBoth W and X must complete before Y can run. If either is not completed, Y waits until both are completed.
Port type<process>
<sequence>
<flow>
Y
W X
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 71
BPEL Data ModelVariables* represent <process> context
Like object instance dataPersistent messages shared between activities in a business processCan also be used for any required non-message dataDefine input/output of activities or context for fault- and compensation handlersDefined by WSDL messages or using XML SchemaGlobal or scoped definitionCan be manipulated via<assign> activity
* Variables were called “containers” in BPEL 1.0
output
input
<variable>
message
activity
<process>
Port type
Port type
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 72
Process Instances and Correlation
Manage interaction between stateful service instancesInstance identification via selected
“token” in messages exchanged between services
<correlationSet> identifies tokensUsed by activities to address
appropriate service instancesGlobal or scoped definitionNOTE: This is similar in nature to
object references in more traditional OO programming.
For more info: http://www-106.ibm.com/developerworks/webservices/library/ws-bpelcol6/
orderNocustomerID
<correlationSet>
init
useactivities
Tokens chosen for
<correlations>
<process>Port type Port type
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 73
Other BPEL FeaturesThese can be defined (or redefined) within a <scope>:
Fault handlingEvent handlingCompensationVariablesCorrelation setsConcurrency
Compensation handlingDefine flow for undoing previously completed activities
Fault handlingDefine steps for handling a fault thrown by any activity
<wait>For intervalUntil specified time
<switch>Like C++/Java switch except condition for each case
<pick>Combination of <receive> and switchHandle one of a list of expected incoming messages
Event handling
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 74
Executable and Abstract Processes
Executable processesComplete business process detailsCan be run on all compliant environments
Abstract processesSpecify constraints of message exchangeDescribe business protocolSimplified model for use in business partner integration
A
B C
D
Property 1 Property n...
Property = 42
A
B C
V
Q R
T
D
U
S Variable n
Variable 1
Hide Complexity
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 75
Business Processes in Today’s Products
WebSphere Application Server Enterprise v5.0Implementation of FDML (flow description markup language), a subset of WSFL, a predecessor of BPELVery similar runtime requirements to BPELMigration tool for FDML to BPEL will be provided
WebSphere Studio Application Developer Integration Edition v5.0
Eclipse plug-in for modeling and creating business processes in FDML
These reflect our Business Process work pre-BPEL.FDML is a subset of WSFL, a predecessor of BPELWe will provide tools to migrate from FDML to BPEL
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 76
BPWS4J – Experimental BPEL Engine and Editor
Experimental BPEL engine in JavaCan execute business processes written in BPEL4WSA set of samples demonstrating the use of BPEL4WSA tool that validates BPEL4WS documents
Eclipse plugin: simple BPEL4WS editorSynchronized XML source and tree views of the business process Accommodates bottom-up as well as top-down process design Context-sensitive menus guide creation of spec-compliant processes Validation of process against specification requirements while editing
Download: http://ibm.com/alphaworks, search for BPWS4J
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 77
BPEL and StandardizationBPEL 1.1 Specification – published April, 2003
http://ibm.com/developerworks/library/ws-bpel/Event handlingReorganization of spec“containers” renamed to “variables”Variables can be declared in <scope> as well as globally
An OASIS TC is hard at work on standardizing BPELBPEL 1.1 was input to the TC
• http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wsbpel
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 78
Resources – BPEL Whitepapers and Specs
Visit http://ibm.com/developerworks/webservicesBPEL4WS 1.1 SpecificationPaper: “Automating business processes and transactions in Web services: An introduction to BPELWS, WS-Coordination, and WS-Transaction”Paper: “Business processes in a Web services world: A Quick Overview of BPEL4WS”A series of papers: “Understanding BPEL4WS” (explains the new alphaWorks BPEL editor and runtime)
…and more. Search for “BPEL4WS” for full list.
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 79
One Final Key Topic:
Web ServicesInteroperability
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 80
The Role of the WS-I Organization
Sta
ndar
ds B
odie
s S
tand
ards
Bod
ies
and
Indu
stry
and
Indu
stry
“WS-I will act as a standards integrator, therefore bringing some coherence to the effort carried out concurrently by the W3C, Oasis, OAG and other informal groups.” - Gartner Group
ToolsTools
ToolsTools
ToolsTools
ToolsTools
ToolsTools
ToolsToolsToolsTools
SampleSampleAppsApps
ProfilesProfilesBP 1.0
available
Fall ’03availability
Underway…
• Attachments
• Basic Security
Achieve Web services interoperabilityEncourage Web services adoptionAccelerate Web services deployment
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 81
WS-I OrganizationAn industry initiative for Web services, founded February 2002
Open to any organization committed to Web servicesPromote and accelerate adoption, deployment
Focused on promoting Web service interoperability Across platforms, applications, and programming languagesPromote a common, clear definition for Web services
Mission statement
“The Web Services Interoperability Organization is an open industry effort chartered to promote Web Services interoperability across platforms, applications, and programming languages. The organization brings together a diverse community of Web services leaders to respond to customerneeds by providing guidance, recommended practices, and supporting resources for developing interoperable Web services.”
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 82
WS-I in the MarketplaceTool vendors will advertise that their products support development and deployment of WS-I conformant servicesMiddleware vendors will advertise that their products support conformant Web service hostingCustomers will look for WS-I conformance on:
ProductsDeployed instances, andVertical standard interface descriptions
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 83
WS-I Community160+ membersSoftware vendors of all sizes
IBM, Microsoft, BEA, Oracle, HP, Sun, CapeClear, Hummingbird, Filenet, Iona, webMethods, …
Enterprise customersAT&T, Daimler-Chrysler, NTT, Fidelity, United, …
Others interested in Web servicesAccenture, EDS, …
All members are invited to actively participate
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 84
WS-I DeliverablesUse Cases and Usage Scenarios
Use Case - business usage of Web services, Usage Scenario -technical usage of Web servicesFormalized way to communicate community requirementsSpecific emphasis on “real-world” use cases and scenarios
ProfilesNamed sets of specifications at given version levelsConstraints, clarifications and conventions about how they are used together
Sample ApplicationsDemonstrated use of Profiles as defined in Use Cases and Scenarios
Test suites and supporting materialsConformance testing toolsTest assertions for the profile
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 85
WS-I.org ProfilesA profile is a named set of Web services specifications and their versions
Base specifications are normative
Profile adds constraints and guidance as to their interoperable usage based upon implementation experienceGeneral format is statement, refinement, rationale, examples where appropriate
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 86
WS-Basic Profile 1.0http://ws-i.org/Profiles/Basic/2003-01/BasicProfile-1.0-WGAD.html
Basic Profile 1.0 is based on these specifications:SOAP1.1WSDL1.1UDDI2.0XML SchemaXML1.0 (Second Edition)HTTP1.1SSLv3
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 87
Basic Profile 1.0 Technical Highlights
SOAP1.1Use of SOAP encoding disallowed“Trailers” (element content after soap-env:Body) disallowedMost spec ambiguity issues resolved in alignment with SOAP1.2Use of SOAPAction, soap-env:actor clarified
WSDL1.1Limited to use of rpc/literal and document/literalSOAP/HTTP binding required
• Other bindings out of scope, but may be usedSchema errata fixed
• Spec treated as normativeExclude use of wsdl:import for XSD filesNumerous spec clarifications
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 88
Technical Highlights (Continued)
UDDI2.0Require WSDL1.1 as description languageEstablished category to identify WS-I conformant entities
SecurityMay use SSLv3 (HTTP/S)HTTP1.1 Basic AuthIdentify risks and countermeasures within Basic Profile
• Mapped these risks/threats to use cases and scenariosXML Schema
Any valid XSD constructs may be used (all, choice, sequence, etc)Recommend use of xsi:nil xs:nillable to designate NULL values
HTTP1.1Clarify use of HTTP response status codes
• soap:Fault == 500, redirect == 307Cookies permitted, but must not be required
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 89
Resources: WS-I.orgWS-I.org
http://www.ws-i.org/
Basic Profile 1.0http://ws-i.org/Profiles/Basic/2003-01/BasicProfile-1.0-WGAD.html
Whitepaper: “First look at the WS-I Basic Profile 1.0”http://www-106.ibm.com/developerworks/webservices/library/ws-basicprof.html
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 90
Thank You!
Please feel free to ask questions if we have time or send e-mail
Kelvin R. [email protected]
Colorado Software Summit: October 26 – 31, 2003 © Copyright 2003, IBM Corporation
Kelvin Lawrence – Web Services Advanced Topics: Beyond SOAP, WSDL, and UDDI Page 91
Copyright© Copyright IBM Corporation 2003. All rights reserved.
IBM, the IBM logo, the e-business logo and other IBM products and services are trademarks or registered trademarks of the International Business Machines Corporation, in the United States, other countries or both. References in this publication to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates.
Product release dates and/or capabilities referenced in this publication may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way.
Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries or both.
Microsoft, Windows, Windows NT and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries or both.
All other trademarks, company, products or service names may be trademarks, registered trademarks or service marks of others.