1 / 110

Web Services Session GOSC meeting, Edinburgh, 29th October 2004.

Web Services Session GOSC meeting, Edinburgh, 29th October 2004. Hong Ong Distributed Systems Group University of Portsmouth hong.ong@port.ac.uk Ariel Goyeneche Centre for Parallel Computers University of Westminster goyenea@wmin.ac.uk. Putting Web Services into context.

ziv
Télécharger la présentation

Web Services Session GOSC meeting, Edinburgh, 29th October 2004.

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Web Services SessionGOSC meeting, Edinburgh, 29th October 2004. Hong OngDistributed Systems GroupUniversity of Portsmouth hong.ong@port.ac.uk Ariel GoyenecheCentre for Parallel ComputersUniversity of Westminster goyenea@wmin.ac.uk

  2. Putting Web Services into context. How to host Web Services. How to secure Web Services. Session Part 1: Goals Session Part 2: Goals • Grid Services introduction. • Grid Services administration. • Grid Services security • Grid Service study case.

  3. Session Part 1: outline • Putting Web Services into context: • What are Web Services? • A brief overview of Web Services core technologies. • How to host Web Services. • How to secure Web Services hosting environment.

  4. What are Web Services? • Depends who you ask - you’ll get different answers from different people. • Instead of a definition, we will describe a Web Service as an application that: • Exposes its operations to other application via open interoperable standards, • Communicates with other applications over the Internet, and • Can be implemented in any programming language or platform.

  5. What are Web Services? • “Exposes its operation … ”  • Client app knows how to interact with the server app in a standard way. • “Communicate … over the Internet”  • No centralized control and loosely coupled. • Message based, synchronous and asynchronous. • Use of established protocols. • Security. • “Implemented in any programming language and platform”  • Separation of specification and implementation.

  6. W3C – What is a Web Service? “A Web service is a software system designed to support interoperable machine-to-machine interaction over a network. It has an interface described in a machine-processable format (specifically WSDL). Other systems interact with the Web service in a manner prescribed by its description using SOAP messages, typically conveyed using HTTP with an XML serialization in conjunction with other Web-related standards.” Source: W3C Working Group Note 11 February 2004 http://www.w3.org/TR/2004/NOTE-ws-arch-20040211/

  7. Web Services Model Service Registry 1 2 Publish Find 3 Service Provider Service Description Service Consumer Messaging

  8. Web Services Protocol Stack Source: http://roadmap.cbdiforum.com/reports/protocols/

  9. 4. Service publication and discovery. 3. Service and message description. 2. Message encoding. 1. Message Transport Comment on the WS Protocols • The Web Services (WS) protocol stack includes a whole “zoo” of newer, evolving, and growing number of protocols. • However, the essential WS protocols are:

  10. Essential WS Protocol #1 • Message transport : • How to transport messages between applications? • Currently, this includes HTTP, SMTP, FTP, and newer protocols, such as Blocks Extensible Exchange Protocol (BEEP).

  11. Essential WS Protocol: #2 • Message encoding: • How to encode messages in a common format so that messages can be understood at end-points? • Currently, messages are encoded in XML format and packaged up using SOAP.

  12. SOAP is: A XML based communication protocol. A format for encoding datatype instances. Used with XML Schema. Transport independent. SOAP with attachments allow arbitrary data to be packaged. SOAP Header Header Block Header Block SOAP Body Body sub-element Body sub-element What is SOAP?

  13. Alternatives to SOAP • XML documents over HTTP: • Most SOAP toolkits provide the mechanisms. • But these are still Web Services. • XML-RPC: • Simpler than SOAP and has longer history. • Limitations on objects that can be exposed. • With current SOAP toolkit support, there is little reason to use.

  14. Essential WS Protocol: #3 • Service description: • How to describe the public interface of a specific Web Service? • Currently, service description is handled via the WSDL (Web Services Description Language).

  15. A WSDL is a XML document. A WSDL describes: What the service can do, Where it resides, and How to invoke it, WSDL descriptions can be made available from a registry, e.g., UDDI. Types Messages Port Types Binding Services What is WSDL?

  16. Essential WS Protocol: #4 • Service publication and discovery: • How to publish/find other Web Services? • Currently, service discovery is handled via the UDDI (Universal Description, Discovery and Integration).

  17. UDDI began as ad hoc consortium. Now housed at OASIS. UDDI is: A Web Services API for publishing and discovering the existence of Web Services. A registry for managing information about Web Services. An Industry-wide initiative supporting Web Services. UDDI has three levels for information. White Pages - used to query companies with their attributes. Yellow Pages - used to query and categorize businesses by taxonomies. Green Pages – used to define how to interact with the Web Services. What is UDDI?

  18. Web Services Toolkits

  19. WSDL describing service Web Services Consumer Web Services Provider Create Publish Discover, Inspect, Contract Production Platform UDDI Production Platform Deploy Embed Operations such as Add, Change, and Delete Application Application Workflow INTERNET Execute Invoke Service Execution & Management Environment Service Execution & Management Environment Request, Process, Payment Manage Manage SOAP Message via HTTP(s) Monitor Monitor Summary: Web Services

  20. Session Part 1: outline • Putting Web Services into context. • How to host Web Services: • The big picture. • Tomcat, Axis, etc. • Installation, • Deployment, and • Administration. • How to secure Web services hosting environment.

  21. INTERNET The big picture! Database Other Web Services Legacy App Registry WS Client Application WS 1 WS 2 WS 3 WS Client Application Soap Engine Application Server WS Client Application

  22. Additional Software • Other software you might want to consider: • A Web server like the Apache HTTP Server • Are you using Windows? Then, Cygwin is for you! • And of course a web browser like the Microsoft Internet Exploder, Netscape Navigator, Mozilla, or Mozilla Firefox (recommended) .

  23. Installation Roadmap • Required packages: • 1. Java and Ant • 2. Tomcat • 3. Axis and Xerces2-J • [optional]: • 4. Database • 5. jUDDI • 6. UDDI4J

  24. Step 1: Java and Ant installation • Download binary: • Java Development Kit (JDK) version 1.4 or later: • http://java.sun.com/j2se/ • Ant version 1.6.2 or later • http://ant.apache.org/ • Install: • Install the JDK and Ant according to the instructions included with the release.

  25. Step 1: Java and Ant installation • Set environment variables: • Windows: • set ANT_HOME=<path_to_ant> • set JAVA_HOME=<path_to_jdk> • set PATH=%PATH%;%JAVA_HOME/bin%;%ANT_HOME%\bin • Unix: • export JAVA_HOME=<path_to_jdk> • export ANT_HOME=<path_to_ant> • export PATH=$PATH:$JAVA_HOME/bin:$ANT_HOME/bin

  26. Step 2: Tomcat installation • Download and install the Tomcat 5 binary distribution • http://jakarta.apache.org/site/binindex.cgi • Set environment variables: • Windows: • set CATALINA_HOME=<path_to_tomcat> • PATH=%PATH%;%CATALINA_HOME/bin% • Unix: • export CATALINA_HOME=<path_to_tomcat> • export PATH=$PATH:$CATALINA_HOME/bin

  27. Step 2: Tomcat installation • Start up Tomcat 5: • Windows • $CATALINA_HOME\bin\startup.bat • Unix: • $CATALINA_HOME/bin/startup.sh • Default Web applications included with Tomcat 5 will be available by visiting: http://localhost:8080/ • Recommend to remove jsp-examples, servlets-examples, and webdav under webapps/ directory.

  28. Step 3: Axis and Xerces2-J installation • Download Axis and Xerces2-J binary: • http://xml.apache.org/axis/ • http://xml.apache.org/xerces2-j/ • Deploy Axis and Xerces2-J • Unzip Axis and Xerces2-J. • Copy xercesImpl.jar and xmlParserAPIs.jar from Xerces distribution into axis/lib directory and also into $CATALINA_HOME/common/lib directory. • Copy webapps/axis tree to $CATALINA_HOME/webapps directory. • Startup Tomcat.

  29. Goto: http://localhost:8080/axis/ You will see some errors or warnings about missing Activation.jar and mail.jar Download the required jar files and copy to $CATALINA_HOME/common/lib Step 3: Axis and Xerces2-J installation

  30. Understanding Tomcat 5 • Tomcat 5 implements the Servlet 2.4 and JavaServer Pages 2.0 specifications from the Java Community Process. • Tomcat can run in three execution modes: • Standalone (default), • In-process, and • Out-of process.

  31. Tomcat execution modes • Standalone: • Default mode for Tomcat. • Mainly use for development. • In-process add-on: • Web server plugin, which passes servlet/JSP requests to servlet container via JNI. • JVM is started inside a Web server’s address space. • Suitable for multi-threaded single-process servers. • Provides good performance but does not scale well.

  32. Tomcat execution modes • Out-of-process add-on. • Web server plugin, which passes servlet/JSP requests to servlet container via TCP/IP socket. • JVM is started outside of Web server’s address space. • Poorer response time than in-process add-on, • Better scalability and more stable.

  33. Key tomcat directories, all relative to $CATALINA_HOME: /bin Startup, shutdown, and other scripts. The *.sh files (Unix) are functional duplicates of the *.bat files (Windows). /common/lib JAR files placed here are visible both to web applications and internal Tomcat code (JDBC drivers). /shared/lib JAR files placed here are visible to all web applications /conf Configuration files and related DTDs. The most important file in here is server.xml. It is the main configuration file for the container. /logs Log files are here by default. /webapps This is where your webapps go. /work Working directory for tomcat. Tomcat 5 Directory Structure

  34. Multiple Instances of Tomcat • To share a single binary among applications: • Set CATALINA_BASE=<path_to_tomcat1> • Make sure the <path_to_tomcat1> directory contains the following directories: • conf/ • logs/ • shared/ • webapps • work/ • temp/ • Provides some fault tolerance and allows clustering (load balancing).

  35. User Web Application • If you want to map a request URI starting with a tilde character ("~") and a username to a directory, e.g., http://<hostname>:<port>/~user <Host name="localhost" ...> ... <Listener className="org.apache.catalina.startup.UserConfig" directoryName="public_html" userClass="org.apache.catalina.startup.PasswdUserDatabase"/> ... </Host>

  36. Comments on Tomcat • Although Tomcat is great for running servlets, it is not a very efficient Web server. • Another possibility is to use Apache's HTTP Server program (httpd) as a Web server with connector to Tomcat to execute servlets.

  37. http/80 https/443 AJPV12/13 8007 Recommended Tomcat Setup Apache2 mod_ssl Tomcat mod_jk2 mod_dav Web Server Host

  38. Understanding Axis • Axis stands for Apache eXtensible Interaction System • Axis is: • A Distributed framework. • Similar to IIOP, RMI, CORBA. • Allows RPC and Messaging communication. • Apache Based on SOAP 1.1 + Web Services. • Implemented as a Servlet. • Requires to run in Servlet Container (e.g. Tomcat)

  39. Axis Architecture Client Server

  40. Simple Technique (JWS) Copy Java Source file containing the method(s) to be exposed to axis directory Rename the java extension to jws, E.g, HelloWorld.java -> HelloWorld.jws Web Service Auto Deployment

  41. Web Service Deployment • Complex Technique: • Use WSDD (Web Service Deployment Descriptor) – a preferred AXIS solution. <deployment xmlns="http://xml.apache.org/axis/wsdd/" xmlns:java="http://xml.apache.org/axis/wsdd/providers/java"> <service name="Math" provider="java:RPC" style="wrapped" use="literal"> <parameter name="wsdlTargetNamespace" value="http://math.samples/"/> <parameter name="className" value="samples.math.Math"/> <operation name="add" qname="operNS:Add" xmlns:operNS="http://math.samples/" returnQName="retNS:AddResult" xmlns:retNS="http://math.samples/" returnType="rtns:float" xmlns:rtns="http://www.w3.org/2001/XMLSchema" > <parameter qname="pns:A" xmlns:pns="http://math.samples/" type="tns:float" xmlns:tns="http://www.w3.org/2001/XMLSchema"/> <parameter qname="pns:B" xmlns:pns="http://math.samples/" type="tns:float" xmlns:tns="http://www.w3.org/2001/XMLSchema"/> </operation> <parameter name="allowedMethods" value="add"/> </service> </deployment>

  42. Writing a Web Service (server) • In general apply the following steps: • Server Side: • Define a java interface • Write a Java class(es) that implements the interface you have defined and compile it. • Move your compiled class to your web server’s appropriate directory (e.g. %CATALINA_HOME%\webapps\axis\WEB-INF\classes) • Use org.apache.axis.wsdl.WSDL2Java tool to generate a WSDL document • Write a deployment descriptor • Use org.apache.axis.client.AdminClient tool to deploy your service to your hosting environment (e.g. Tomcat)

  43. Writing a Web Service (client) • Client Side: • Assuming that you know the service URL (I.e. by pass service discovery); obtain the WSDL document for the service • Run org.apache.axis.wsdl.WSDL2Java tool to generate client side stubs and data types fro the WSDL doc. • Write a client java class that uses service locator and other java classes to access the service interface (see Apache Axis User Guide for details) • Compile and run the client

  44. More Information • Wainright, P., “Professional Apache,” Wrox Press Ltd. • Online articles: • httpd.apache/org/docs/ • jakarta.apache.org/tomcat/docs/ • java.sun.com/products/servlet/2.2/

  45. More Information • Java APIs for Web Services • SOAP messages as Java objects • SAAJ ( SOAP with Attachments API for Java) • Programming Model • JAX-RPC ( JSR101), JSR109, EJB2.1 • Accessing WSDL descriptions • JWSDL (JSR110) • Accessing Web Services Registries • JAXR (Java API for XML Registries)

  46. Session Part 1: outline • Putting Web Services into context. • How to host Web Services. • How to secure Web Services hosting environment: • Some highlights on securing hosting environment, • Standard way of working together securely: • WS-Security, • XML Encryption, and • XML Signature.

  47. Common Attack Types • Some common ones: • Denial of Service to a server, • Interception and manipulation of messages, • Forged client requests, • Forged server responses, • Attempts to read the server file system/database • Attempts to write to the server file system/database • All reasons to follow guidelines at http://www.owasp.org/

  48. How? • Secure the whole stack: • Web Service container, • The Host operating system, • Apply security patches (daily), and • Defence in Depth.

  49. Danger! Source: XML and Web Services: Are We Secure Yet? JAVAPRO

  50. Instead… Source: XML and Web Services: Are We Secure Yet? JAVAPRO

More Related