4 A Basic Web Service Computer A Language: C++ OS: W2000 XML Computer B Language: JavaOS: LinuxXMLIndependent oflanguage, OS, networkprotocols
5 Applications and Services We have become to rely on a number of Internet servicesBasic connectivity and data transport (TCP/UDP)SMTPWeb sitesWeb services (SOAP / REST)Signalling (SIP, VoIP)We expect many things from servicesAvailabilityTrustworthinessUsabilityInteroperability…
6 Web applications Recent trend has been to develop web applications Traditional applications on Internet (office suites,..)Search (Google, Yahoo, ..)Instant communications and presenceSocial collaboration and networking sitesData sharing sites and video sharingData storage servicesBloggingAnother recent trend is to simplify signing to servicesSingle Sign-On, federated identity, OpenIDAnd creating mashupsCombining services in new waysCustom experience and personalization
7 Well-known Services Social networking Myspace, Facebook, .. Start pagesWindows live, Netvibes, ..Social bookmarkingDel.icio.us, trailfire, ..Peer production newsNetscape, digg, newsvine,..Social media sharingYouTube, jumpcut, ..Online storageAmazon S3, Jungle Disk, omnidrive, ..
8 Challenges There are many challenges for Internet services AvailabilityDenial of service attacksHow ensure mashups work and are availableTrustworthinessPhishing and spam in its many formsIdentity theftPrivacyHow to enforce securityFederationHow to identify users and authenticate and authorizeHow to scale mashups
11 Challenges There are many challenges for Internet services AvailabilityDenial of service attacksHow ensure mashups work and are availableTrustworthinessPhishing and spam in its many formsIdentity theftPrivacyHow to enforce securityFederationHow to identify users and authenticate and authorizeHow to scale mashups
12 Middleware Widely used and popular term Fuzzy term One definition “A set of service elements above the operating system and the communications stack”Second definition“Software that provides a programming model above the basic building blocks of processes and message passing” (Colouris, Dollimore, Kindberg, 2001)
13 Why Middleware? Application development is complex and time- consuming Should every developer code their own protocols for directories, transactions, ..?How to cope with heterogeneous environments?Networks, operating systems, hardware, programming languagesMiddleware is neededTo cut down development timeRapid application developmentSimplify the development of applicationsSupport heterogeneous environments and mask differences in OS/languages/hardware
14 Middleware cont. Middleware services include directory, trading, brokeringremote invocation (RPC) facilitiestransactionspersistent repositorieslocation and failure transparencymessagingSecurityNetwork stack (transport and below) is not part of middleware
15 Transparencies Location transparency RPC and RMI used without knowledge of the location of the invoked procedure / objecttransport protocol transparencyRPC may be implemented using any transport protocoltransparency of OS and hardwareRPC/RMI uses external data representationPresentation is importantXML is becoming increasingly importanttransparency of programming languageslanguage independent definition of procedures: CORBA IDL
16 Web Service Architecture MotivationMachine readable content on the WebProgramming API for the WebAccess independent of the computing environmentThe three major roles in web servicesService providerProvider of the WSService RequestorAny consumer / clientService Registrylogically centralized directory of servicesA protocol stack is needed to support these roles
17 Web Services Protocol Stack Message TransportResponsible for transporting messagesHTTP, BEEPXML MessagingResponsible for encoding messages in common XML formatXML-RPC, SOAPService DescriptionResponsible for describing an interface to a specific web serviceWSDLService discoveryResponsible for service discovery and searchUDDI
19 Standardization SOAP WSDL XML Protocol Working Group W3C Web Services ActivityXML Protocol Working GroupSOAPWeb Services Description Working GroupWSDLWeb Services Addressing Working GroupWeb Services Choreography Working GroupOASISOrganization for the Advancement of Structured Information StandardsE-business standards, UDDIWS-I (Web Service Interoperability Org.)Binding profiles,..
20 What is WSDL? WSDL: Web Service Description Language An XML language used to describe and locate web serviceslocation of web servicemethods that are availabledata type information and XML messagesCommonly used to describe SOAP-based servicesW3C standardInitial input: WSDL 1.1 as W3C NoteCurrent version 2.0 (Recommendation)Some differences between 1.1 and 2.0WSDL 1.1 in WS-I Basic Profile 1.0 and 1.1.
21 WSDL Overview <definitions>: ROOT WSDL element <types>: The data types that are used<message>: What messages are transmitted?<portType>: The supported operations<binding>: The binding to concrete protocols<service>: Reference to actual location
23 What is SOAP? More complex interactions may be implemented Fundamentally stateless one-way message exchange paradigmMore complex interactions may be implementedExchange of structured and typed informationBetween peers in decentralized fashionUsing different mediums: HTTP, , ..Request-reply and one-way communication are supportedNote that XML infoset is an abstract specificationOn-the-wire representation does not have to be XML 1.0!SOAP 1.2 ”HTTP Subset”. SOAP as HTTP extensionSpecificationsSOAP Version 1.2 Part 0: PrimerSOAP Version 1.2 Part 1: Messaging FrameworkSOAP Version 1.2 Part 2: AdjunctsSOAP Version 1.2 Specification Assertions and Test Collection
24 SOAP Message Structure Optional header contains blocks of information regarding how to process the message:Routing and delivery settingsAuthentication/authorization assertionsTransaction contextsBody is a mandatory element and contains the actual message to be delivered and processed (and fault information)SOAP EnvelopeSOAP HeaderHeader blockHeader blockSOAP BodyMessage Body
25 What is UDDI? XML schema for SOAP messages a description of the API Universal Description Discovery and IntegrationA mechanism for clients to dynamically find Web servicesWhite pages, yellow pages (categories), green pages (technical information)Developed on industry standardsApplies equally to XML and non-XML web servicesImplementationPublic web service registry and development resourcesSOAP-based programming protocol for registering and discovering Web servicesXML schema for SOAP messagesa description of the APIUDDI does not directly specify how pricing, deadlines, etc. are handled/matchedAdvanced discovery via portals and marketplaces
26 Main Point: We need security within AND between security contexts! WS Security ContextsSecurity Context IISecurity Context IWebBrowserWebsiteAppl.ServerWebServiceHTTP POSTSOAPMain Point: We need security within AND between security contexts!
28 REST REST (Representational State Transfer) (Roy Fielding, PhD thesis) Architectural style of networked systemsApplications transfer state with each resource representationRepresentations of the data are transmittedState is a property of a resourceResourcesAny addressable entityWeb site, HTML page, XML document, ..URLs Identify ResourcesEvery resource uniquely identifiable by a URI
29 REST II Uses standards Addressing and naming: URI Generic resource interface: HTTP GET, POST, PUT, DELETEResource representations: HTML, XML, GIF,..Media types: MIMELoose couplingStateless transactionsSelf-descriptive messagesHypermedia is the engine of application stateJust resources and URIs
30 REST Goals Scalability of component interactions Generality of interfacesIndependent deployment of componentsIntermediaries to reduce latency, improve security, and encapsulate legacy systems
32 RESTful Example GET /songs HTTP/1.1 200 OK GET /songs/700 HTTP/1.1 POST /songs HTTP/1.1201 CreatedPUT /songs/701 HTTP/1.1204 No ContentDELETE /songs/701 HTTP/1.1204 No Content
33 Characteristics Client-Server pull style interactions Stateless, minimal stored context on a serverUniform interface: GET POST PUT DELETENamed resources (URIs)Resource caching (HTTP header)Comparison to SOAPFor REST all decisions are made upon the URL and HTTP methodSOAP uses header and possibly content as wellHypothesis: REST+XML is applicable for all SOAP/WSDL?SOAP offers headers, encoding, extensions
35 Amazon Web Services Web Services = APIs + Business Models Data as a serviceE-Commerce service (product data)Historical pricingInfrastructure as a serviceSimple Queue Service, Simple Storage Service, Elastic Compute CloudSearch as a serviceAlexaPeople as a serviceAmazon Mechanical Turk
36 Amazon Web Services IICross platform support: libraries in Python, Java, ..REST and SOAP, XML, XSLTPay as you goSimple Queue ServiceMade for communicating to your various Web servicesMessage storageS3 Simple Storage SystemNot a file systemYou store your data in bucketsBucket names are globally unique (4KB long, max chunk 5GB) Files can be accessed over HTTP or BitTorrent
37 Amazon Web Services III EC2: Elastic Compute CloudOn-demand Linux clusterUses XEN virtualization technologyInstances are stored on S3You get root privileges, can install software
38 More Web Services Google Search API Google Maps Advertisement APIs .. Yahoo!Answers, Local, Mail, Maps, Photos, Search, Shopping, Travel, Utilities, ..
40 PapersGoogleThe Anatomy of a Large-Scale Hypertextual Web Search EngineThe Google File SystemWeb Search for a Planet: The Google Cluster ArchitectureAmazonAmazon Recommendations: Item-to-Item Collaborative FilteringAnalyzing Customer Behaviour at Amazon.comYahooExperience with Personalization of Yahoo!
41 Security and Trust We are going towards identity-based service access A number of identities per hostPseudonyms, privacy issuesDelegation and federation are neededDecentralization: the user has the freedom of choosing who manages identity and dataSolutions for authenticationWeb-based standard (top-down)ID-FFWeb-based practice (bottom-up)OpenID and oAuthWeb servicesSAML 2.0
42 Liberty Alliance ID-FF Liberty Alliance Identity Federation Framework (ID-FF)Basic case: Web directionRedirect to IDP for credentials, redirect back to service, verification with IDPUses SAML requests and assertionsMandatory features for an identity providerSingle sign on and federationSingle sign outFederation terminationAffliliationsDynamic proxying of Identity ProvidersCircle of trust implemented usingSAML assertions, requests, redirection, and validation
43 ID-FF specs Liberty ID-FF Identity Federation Framework A forerunner to the SAML 2.0 specification. All of the functionality in ID-FF has been incorporated into SAML 2.0Liberty ID-WSFIdentity Web Services FrameworkBuilds on WS-Security and SAML 2.0Liberty ID-SISIdentity Services Interface SpecificationsHigh-level web service interfaces that support particular use cases like data/profile, geolocation, contact book, and presence services.
44 Passport and Live ID Intended to solve two problems to be an identity provider to MSNidentity provider for the InternetFirst goalover 250 million active Passport accounts and1 billion authentications per daySecond goalWhat is the role of the identity provider in transactions?Passport no longer stores personal information other than username/password credentialsAuthentication service for sitesProprietary technologyRoadmap: towards identity card (CardSpace)Interface for identity based authentication and authorizationIdentity cards that people can choose (Identity Metasystem)Integration with Web sitesConsistent user interfaceWindows Live IDUnified login service for Microsoft sites such as Hotmail, MSNBC, MSN, ..Used also for ad targeting with adCenterHas been opened for Web site developers (August, 2007)
45 OpenID OpenID is a decentralized sign-on system for the Web Not a real single sign-on solution, does not support authorizationInstead of usernames and passwords, users need to have an account with some identity providerThe user has the choice of selecting a suitable identity providerSupport: AOL, Orange, FireFox, Microsoft planning support in Vista, LiveJournal, Wikitravel, Zooomr, Ma.gnoliaEstimated 120 million OpenIDs on the InternetOpenID 2.0 supports discoveryYadis provides a mechanism for determining the services that are available with a given identifierIdentity aggregation: ClaimIDClaim Web resources under your OpenID (must have write permission)
46 OpenID URLThere are two ways to obtain an OpenID-enabled URL that can be used to login on all OpenID-enabled websites.To use an existing URL that one's own control (such as one's blog or home page), and if one knows how to edit HTML, one can insert the appropriate OpenID tags in the HTML code following instructions at the OpenID specification.The second option is to register an OpenID identifier with an identity provider. They offer the ability to register a URL (typically a third-level domain) that will automatically be configured with OpenID authentication service.
48 oAuthoAuth is an open protocol to allow clients to access protected dataIntended for desktop and web applicationsExample: a printing service printer.example.com, oAuth provides mechanisms for the printer to access user photos on photos.org without requiring users to provide credentials to printer.example.com.A solution for publish and interact with protected dataDoes not require a specific user interface or pattern, nor does it specify how service providers authenticate usersCan be used with OpenIDAttempt to collect best practices from existing protocolsBBAuth (Yahoo), FacebookAuth, FlickrAuth, AuthSub (Google), OpenAuth (AOL) ..Contributors from many Web companies: Google, Flickr, Ma.gnolia, sixapart, JaikuoAuth 1.0 Draft 3 was released September 28, 2007More information:
49 Authentication with oAuth Entities: User, Consumer (accessing data), Service Provider (keeps the data)Tokens:Request token: used by the consumer to ask the user to authorize accessAccess token: used by the consumer to access the protected resources on behalf of the userOAuth Authentication is done in three steps:The Consumer obtains an unauthorized Request Token.The User authorizes the Request Token.The Consumer exchanges the Request Token for an Access Token.
52 SummaryWeb services address easy and flexible service provision on top of the basic networking stackHigh-level programming API for the WebXML is becoming the presentation format for the InternetStandards-based to ensure interoperabilityA middleware stack is neededWSDL, SOAP, UDDI, messaging protocolsREST+XML as a lightweight alternativeMany services support both SOAP and RESTWe are going towards identity-based authentication and authorizationCentralized vs. decentralized