At your service

« The standard way of working | Install issues - harder than you think »

At your service

by cc0028 @ 2008-07-16 – 21:00:37
Right. Let's talk about SOA and WSS.

OK. OK. Let's talk about Service Oriented Architecture and Web Service Security.

The term, "Web Services" has, by now, got past the stage of being every boss's favourite buzz word, erm, phrase. They are, instead, rapidly becoming a familiar part of the IT landscape, and have become a favoured way of implementing a Service Oriented Architecture (SOA). So what's that? Well, it's a way of building powerful applications made up in whole or in part of services provided by remote computers, possibly belonging to organisations other than your own. Google, for example, provides a Web Service-based application programming interface (API). You can use this to do keyword searches in your own application without having to worry about how a keyword search is actually done. In other words what we are doing in a Web Service is to arrange for a client machine to ask a server machine to perform some service for it - i.e. to run some procedure or other and to return (send back) the result of executing the procedure. In the case of the Google API, we ask one of Google's servers to run a search for us and to send back the search results.

In order for this to work, all the participants in the game have to agree on what the rules are. Yes, we're back to standards again. There are quite a few different standards in this field, probably reflecting its comparative youth. No doubt a single standard will emerge over time. For the purposes of this article, I'm going to assume that we're talking about the Simple Object Access Protocol (SOAP) and the Web Service Definition Language (WSDL) - so you should too, if there's to be any communication between us.

Now, the whole point of these standards is that it should not matter what kind of program is running at either end of the communication. So long as they both stick to the protocol, everything should be fine. A C# program using the .NET Framework, running on a Windows machine should be able to exchange messages with a Java program running on a Linux machine and using the Apache Axis framework absolutely seamlessly. And that's pretty much what happens, but, as usual, there are exceptions.

In the early days of Web Services, nobody gave too much - some would say that no-one gave enough - thought to security. As Web Services have become more popular and organisations have started using them to pass confidential information about the place, security has become a much more pressing issue. As a result there are a number of standards dealing with Web Sevice security. If you're really having difficulty sleeping you can read about them on the OASIS site. They are extremely complex and, of course, add a layer of complexity to any programs that use them. They also increase the chances that the parties at both ends of the Web Service communication might misunderstand each other - either because there are bugs in the implementation at one end or the other, or because the implementations have interpreted the standard differrently.

So why am I telling you this? Well, it's been my misfortune over the past few weeks to try to use a Web Service exposed by one of our partners (the UK Student Loan Company). My program, like all those I write at work, is written in C#, a .NET language. The Web Service I've been trying to communicate with uses the Java Apache Axis Framework.

Normally, this wouldn't be a problem, but this service demands a certain amount of security because of the nature of the information being passed. It's not terribly confidential. We're not talking about student loan details, for instance; but it's a private conversation nevertheless. The Web Service therefore has the following characteristics:
- Communication is over an encrypted connection (SSL)
- The SOAP header (the first part of a Web Service message) must contain the client's user name and password in clear text
- The server authenticates to the client using an X509 Certificate
- The client does not authenticate to the server
- No encryption over and above the transport layer (SSL) encryption is to be carried out.
Wouldn't you know it? This is not one of the standard configurations that can easily be configured using the .NET Framework (and the Visual Studio integrated development environment). There also seem to be some strange features in the Apache Axis Framework implementation, which mean that:
- Sending a message under these particular circumstances with a <Timestamp> element in the SOAP header - supposedly a mandatory field - will generate an error from the server
- The response to at least one message results in an XML document that does not conform to the schema set out in the WSDL file. Our partners believe this to be a bug, but whatever it is, it has to be dealt with.
It turns out that on the client side, the solution is:
- To create a custom policy assertion class that filters both output from and input to the Web Service. This is done by creating two custom SoapFilter classes that are called to filter (alter) the input to and output from the Web Service client.
- The filter for outgoing messages looks for the <Timestamp> element and deletes it before the message is sent up the wire.
- The filter for incoming messages looks for the malformed XML (which is on the <code> elements) and corrects them by adding a namespace definition. As it happens the attribute that the namespace is defined for is entirely redundant, but it turned out to be easier to add the namespace definition than delete all the unnecessary attributes. The corrected XML is then fed to the .NET Framework Web Service client handling plumbing.
They don't tell you this sort of thing in any of the standard texts or on any of the standard courses and, for the first time in my experience, all my newsgroup and mailing list postings went unanswered (with one exception - and my grateful thanks to Evan Freeman of the microsoft.public.dotnet.framewok.aspnet.webservices newsgroup for his moral and practical support).

In the hope, therefore of preventing frustration-driven rapid hair loss syndrome amongst .NET programmers, I have published a document on my personal Website that goes into all the gory details of what was done and why:

Microsoft dotNet WSE 3 Web Services.pdf

I hope it helps someone. And if anyone has any suggestions as to how the document could be improved, or corrections or other improvements, then I'll be only too happy to act on them if I agree they'll help.
Options:
Tags:
- java
- soap
- c#
- web services
- web service security
- wsdl
- apache axis

3 Comments on At your service

Hide subcomments

- menhir
- 2008-07-16 @ 22:59:26
What a hairy situation.

You do live in hope when you suggest that one day there will be a single standard, but then I suppose someone must have faith. I ask the question, why should computing be any different to life in relation to operating with single standards, or more likely, not?

Computing languages and systems are devised by homo sapiens - and a clever lot they can be too - however, human beings, being what they are, a contrary lot with masses of different ideas and with each person or group thinking their ideas/productions are best, there will either never be agreements for a single protocol. So far this has been borne out.

Alternatively, there will be a compromise to work within a few approved parameters. What a mish mash there would be if they were all merged. Perish the thought! No doubt, even if some kind of agreement was cobbled together, someone somewhere, would adapt it, creating a need for further tweaking.

I hope you get some ideas of use to your headache. It sounds like you have reached a workable solution, or would you call in a compromise?
- - cc0028
  - http://www.peredur.uklinux.net
  - 2008-07-17 @ 18:55:31
  Oh, there will be a single standard. It's in everyone's interest. As it stands at the moment there are only about three standards for Web Services, and they are not really associated with particular companies. They are all international standards overseen by bodies such as the World Wide Web Consortium and OASIS (Organization for the Advancement of Structured Information Standards).
  
  Either that, or they will co-exist for different domains.
  
  Computers aren't human. They need agreed protocols, and we've had them for ages - IP, the Internet Protocol; TCP, the Transport Control Protocol; SMTP, the Simple Mail Transfer Protocol; FTP, the File Transfer Protocol; HTML, the Hypertext Markup Language; CSS, Cascading Style Sheets, and on and on. As we increasingly use distributed systems there will be no choice but to use agreed, standard protocols: otherwise there would be no distributed computing.
  
  Things are, in fact, moving in the direction of even more standard protocols, covering even more areas of computing, not less. For example, there is now an Open Document Format standard that covers areas such as standard formats for word processing, spreadsheet and presentation documents. Microsoft fought it tooth and nail, and even got its own rival version agreed (OOXML), but even they have recently admitted defeat. The next version of MS Office will support ODF natively. PDF has become an international standard recently, as well.
  
  The problem I had was not that the Apache Axis software was ignoring the standard, but that it had mis-implemented it. I've no doubt that our partners will make out a bug report and it will soon be squashed. In the meantime, I have a workable solution that should not break even if the bug is fixed.
  
  Computer languages are something else. There are many of these, but the reason for that is because they tend to be good (i.e. efficient) at different things. So your choice of language is based on what you want to do, not who owns the language: and in fact most computer languages are themselves defined in international standards, so they aren't "owned" by anyone. If you want to change something in the C# language, you don't talk to Microsoft, you talk to the ISO, or possibly ECMA - both of which are international standards bodies. And remember, at the end of the day, all computer languages finish up as machine code. So it doesn't matter what high-level language you use: if you're writing for an Intel chip, say, it finishes up in x86 machine code. Computers only understand 0s and 1s. That's how all computer code finishes up.
  
  Cheers
  
  Peter
  - - menhir
    - 2008-07-21 @ 09:58:08
    Hi,
    
    I fully understand that computers aren't human, it's the unpredictable human element that operates systems, codings and the technology that will always cause problems. You gave a fine example of it.
    - Reply to comment
    - Permalink

3 Comments on At your service

Leave a comment (Login)