Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Java WS Core for Developers Rachana Ananthakrishnan Jarek Gawor.

Similar presentations

Presentation on theme: "1 Java WS Core for Developers Rachana Ananthakrishnan Jarek Gawor."— Presentation transcript:

1 1 Java WS Core for Developers Rachana Ananthakrishnan Jarek Gawor

2 2 Session Notes l Slides available at: u l This session is for developers already familiar with Java WS Core l Beginners please checkout L3: Build a Service Using GT4 lab u Thursday 2pm – 5:45pm l Other relevant sessions at GW u COMM12: Mini Symposium - Development Tools for GT4 Service Programming l Monday - but slides might be interesting u L4: The FileBuy Globus Based Resource Brokering System - A Practical Example l Friday 9am - 1pm

3 3 Overview l Two session parts 1. General programming guidelines 1. WSDL 2. Service implementation 3. Lifecycle management 4. Resource persistence and caching 5. Service communication 6. Background tasks 7. Debugging and production tuning 2. Security features of Java WS Core

4 4 Java WS Core l Development kit for building stateful Web Services l Implementation of WS-Resource Framework (WSRF) and WS-Notification (WSN) family of specifications l Provides lightweight hosting environment u Can also run in Tomcat, JBoss and other application servers l Support for transport and message level security l Implemented with standard Apache software u Axis 1 (SOAP engine) u Addressing (WS-Addressing implementation) u WSS4J (WS-Security implementation) u and more

5 5 Java WS Core Key Programming Model Concepts l Service u Implements business logic – stateless u Can be composed of one or more reusable Java objects called operation providers u Configured via server-config.wsdd l Resource u Represents the state - statefull l ResourceHome u Manages a set of resources u Performs operations on a subset of resources at once u Configured via jndi-config.xml l A service is usually configured with a corresponding ResourceHome that is used to locate the Resource objects

6 6 Programming Guidelines and Best Practices

7 7 Service WSDL l Do not generate WSDL from existing code u Create it by hand, modify existing one, etc. but follow the WSDL guidelines described next l Tooling is still not perfect u Might generate non-interoperable WSDL

8 8 WSDL Guidelines l WSDL has u Document and RPC invocation style u Literal and SOAP encoded mode l Use Document/Literal mode u Do not mix Literal with SOAP encoding in one WSDL l Always validate your WSDL u Java WS Core does NOT validate it l Follow WS-I Basic Profile 1.1 guidelines u Improves interoperability

9 9 WSDL Doc/Lit Guidelines At most one wsdl:part element

10 10 WSDL Doc/Lit Guidelines Must use element attribute

11 11 Must reference unique elements (for input messages) WSDL Doc/Lit Guidelines

12 12 Document/Literal - Arrays l Encoded - SOAP Encoding l Literal – XML Schema <xsd:element name="x" type="xsd:string" minOccurs="0" maxOccurs="unbounded"/> <xsd:attribute ref="soapenc:arrayType wsdl:arrayType="tns:MyArray2Type[]"/> <xsd:element name="x" type="xsd:string" minOccurs="0" maxOccurs="unbounded"/>

13 13 Service Implementation l If you have an existing service code u Do NOT generate WSDL from it and try to make it work somehow u Instead: 1) Create WSDL by hand (or using some tools) 2) Validate WSDL 3) Generate Java code from WSDL 4) Implement the generated service interface by delegating the calls to your existing service code l In general, always implement the generated service interface u Do NOT define your own service methods first u In Document/Literal mode service methods will ALWAYS have 1 input parameter

14 14 Service Implementation Guidelines l Service methods should be stateless l Keep service logic separate from the service façade u Use Axis generated types only in the service facade l Avoid passing it to other classes, etc. l Instead, convert it to your own types u Helps to deal with WSDL, SOAP engine changes, etc. without affecting main service functionality l Some Axis specific issues u Service methods should explicitly define all faults that the method can throw as specified in WSDL l Otherwise, the faults will not be serialized correctly on the wire u Do NOT use full constructors to initialize the Axis generated types l The order of parameters keeps changing MyType type = new MyType(min, max); MyType type = new MyType(); type.setMin(min); type.setMax(max);

15 15 Lifecycle: Service l Services can implement u javax.xml.rpc.server.ServiceLifecycle interface l init(Object) u Axis MessageContext and JAAS security subject will be associated with the thread l destroy() u Axis MessageContext will be associated with the thread l These methods are called based on the scope of the service u Application (one service instance is created and used for all requests) l init() – called when first accessed (or on container startup if loadOnStartup enabled) l destroy() – called on container shutdown u Request (new service instance is created on each request) l init() – called before each request l destroy() – called after each request u Session l Not supported

16 16 Lifecycle: ResourceHome l ResourceHome can implement u org.globus.wsrf.jndi.Initializable interface l initialize() u Called when first accessed (or on container startup if loadOnStartup is enabled) u Called after all the parameters specified in the configuration file are set u Axis MessageContext and JAAS security subject will be associated with the thread (ResourceHome only) u org.globus.wsrf.jndi.Destroyable interface l destroy() u Called on container shutdown

17 17 Lifecycle: Resource l Creation – resource creation is service specific u No API defined l Destruction - resource object can implement u org.globus.wsrf.RemoveCallback interface l remove() u Called by ResourceHome only u ResourceHome calls remove() when l Resource is destroyed explicitly u Service implements the ImmediateResourceTermination port type of WS-ResourceLifetime specification l Resources lease expires u Service implements the ScheduledResourceTermination port type of WS-ResourceLifetime specification l Activation – persistent resource objects are usually activated on demand as a requests come in u ResourceHome could activate resources in its initialize() method

18 18 Resource Persistence l Persistence mechanism is up to the service developers u Java serialization, relational database, xml database, etc. l Resource objects can implement u org.globus.wsrf.PersistentResource interface l load(ResourceKey) u Loads resource state »Does not need to load the entire resource state – only the necessary bits »Rest of the state can be loaded on demand u Does not need to be synchronized as called once to bring the resource into memory l store() u Saves resource state u Must be synchronized as might be called from multiple threads at the same time u Use with org.globus.wsrf.impl.ResourceHomeImpl

19 19 Resource Persistence l Persistence resource object must provide no- argument constructor u ResourceHomeImpl attempts to load the resource by l Creating new instance of the resource object l Calling the load(ResourceKey) method u load() either loads the resource state, or u Fails with NoSuchResource exception l Define separate constructors to distinguish between new resource creation and resource activation

20 20 Container Registry l In-memory registry of service and container configuration information u Created from the jndi-config.xml files deployed with services u Registry is only exists on the server-side u Services can use it to pass its own custom configuration u Services can use it at runtime to store some information l Information stored at runtime will not be persisted – registry is transient u Registry is visible to all services l Facilities direct communication with other services / resources l Accessible via standard JNDI API u Retrieve configuration data, find ResourceHome of the current and other services

21 21 Container Registry l Registry has a tree-like structure u java:comp/env - root of the tree l /services – all services are placed under this node u /ServiceA – each service also has its own sub-node »home – service-specific resources are leaf nodes »resourceA u /ServiceB »resourceB »… l resourceC – global resources are leaf nodes under root l resourceN l …

22 22 Obtaining reference to the registry using JNDI l Usual method l Recommended method import org.globus.wsrf.jndi.JNDIUtils;... InitialContext ctx = JNDIUtils.getInitialContext(); InitialContext ctx = new InitialContext(); Works in application servers

23 23 Container Registry Adding Custom JNDI Resources Java class: public class MyBean { private long timeout; private MyBean() { } public void setTimeout(long timeout) { this.timeout = timeout; } public long getTimeout() { return this.timeout; } Resource definition: <resource name=MyBean" type=package.MyBean"> factory org.globus.wsrf.jndi.BeanFactory timeout 120000

24 24 Container Registry Adding Custom JNDI Resources Java class: public class MyBean { private long timeout; private MyBean() { } public void setTimeout(long timeout) { this.timeout = timeout; } public long getTimeout() { return this.timeout; } } Can implement Initializable and Destroyable interfaces Class must have no- argument Define appropriate getters and setters methods. All basic types are supported. Arrays are not supported

25 25 Container Registry Adding Custom JNDI Resources Resource definition: <resource name=MyBean" type=package.MyBean"> factory org.globus.wsrf.jndi.BeanFactory timeout 120000 Specifies Java class All JNDI resource must specify factory parameter with that value (expect home resources) Each parameter name must correspond to a setter method in the Java class

26 26 Resource Cache l Works only with org.globus.wsrf.impl.ResourceHomeImpl and persistent resources u ResourceHomeImpl m aps resource keys to resource objects wrapped in Java SoftReferences u SoftReferences allow the JVM to automatically garbage collect the resource objects if nothing else references them l Thus, reduces memory usage and improves scalability u However, sometimes with SoftReferences resource objects might get GCed too frequently l Resource Cache prevents that by keeping temporary hard references to the resource objects u Cache can have size limit or time limit or both u Cache uses Least Recently Used (LRU) algorithm

27 27 Configuring Resource Cache … factory org.globus.wsrf.jndi.BeanFactory timeout 120000 maxSize 1000 … Specify cache size or timeout or both

28 28 Configuring Resource Cache …... cacheLocation java:comp/env/services/CounterService/cache... Add cacheLocation parameter that points to the cache resource

29 29 Communication Between Services l Regular invocations u Standard HTTP/S calls u Service can be remote or local l Local invocations u In-memory, server-side only calls between services l No HTTP/S transport - uses local:// protocol u Extra setup is necessary to use local invocation in Tomcat or other application servers l SOAP serialization/deserialization is performed l Security is enforced (message level) l Direct invocations u In-memory, server-side only calls between services l Regular Java method calls achieved using JNDI u Can invoke things published in JNDI but cannot invoke actual service method l SOAP serialization/deserialization is not performed l Security is not enforced

30 30 Regular Invocation Example URL url = new URL(http://localhost:8080/wsrf/services/MyService"); MyServiceAddressingLocator locator = new MyServiceAddressingLocator(); MyService port = locator.getMyServicePort(url); port.hello();

31 31 Local Invocation Example URL url = new URL("local:///wsrf/services/MyService"); MyServiceAddressingLocator locator = new MyServiceAddressingLocator(); MyService port = locator.getMyServicePort(url); port.hello(); Call sequence is the same as with a regular invocation Same service just changed to local:// protocol

32 32 Direct Invocation Example InitialContext ctx = JNDIUtils.getInitialContext(); ResourceHome home = (ResourceHome)ctx.lookup( "java:comp/env/services/ContainerRegistryService/home"); // ContainerRegistryService is a singleton so lookup with a null key RegistryService resource = (RegistryService)home.find(null); EntryType[] entries = resource.getEntry(); for (int i=0;i<entries.length;i++) { System.out.println(entries[i].getMemberServiceEPR().getAddress()); } Actual example that will list URLs of deployed services in the container

33 33 Background Tasks l Instead of creating separate Threads use u WorkManager l Use for executing one-time tasks u No while (true) {.. } type of things! u TimerManager l Used for executing periodic tasks l Both use thread pools u Do not queue tasks that wait synchronously for results from other tasks l If you have to create separate Threads u Limit the number of the threads u Have an explicit way to stop them

34 34 TimerManager Example import commonj.timers.Timer; import commonj.timers.TimerListener; import commonj.timers.TimerManager; … InitialContext ctx = JNDIUtils.getInitialContext(); TimerManager timerManager = (TimerManager)initialContext.lookup( java:comp/env/timer/ContainerTimer); TimerListener timerTask = (new TimerListener () { public void timerExpired(Timer timer) { System.out.println(called); } }); timerManager.schedule(timerTask, 1000 * 30);

35 35 WorkManager Example import; import; … InitialContext ctx = JNDIUtils.getInitialContext(); WorkManager workManager = (WorkManager)initialContext.lookup( java:comp/env/wm/ContainerWorkManager); Work workTask = (new Work () { public void run() { System.out.println(called); } public void release() { } public boolean isDaemon() { return false; } }); workManager.schedule(workTask);

36 36 Production Tuning l Settings to watch for in production environment u JVM max/min heap size u File descriptors per process u Container service thread pool

37 37 JVM Heap Size l Most JVM use 64MB max heap size by default u This might be too small for some applications u Indication of the problem l java.lang.OutOfMemoryError u Of course, could also indicate a memory leak in application l To adjust, pass –Xmx m option to JVM u In case of Java WS Core container set: l export GLOBUS_OPTION=-Xmx1024m

38 38 File Descriptors l Most OS limit the number of opened file descriptors to 1024 per process u File descriptors = incoming connections + outgoing connections + opened files + pipes u This might be too small for some applications u Indication of the problem l Too many open files u Of course, could also indicate a problem in application »Forgetting to close connections, files, etc. l To adjust, see your OS documentation on how to increase this limit

39 39 Container Thread Pool l Java WS Core container uses a thread pool for serving requests u Requests are also put into a queue u The maximum thread pool size is 20 by default l Used to be 8 in GT 4.0.2 and older l Might be too small for some applications l Can lead to Read timed out exceptions u When lots of requests queue up and there are no available threads to service them l To adjust, edit $G_L/etc/globus_wsrf_core/server- config.wsdd file and add or modify the following parameter u

40 40 General Debugging Tips l Use a profiler tool! l Read JVM troubleshooting documentation u Sun JVM l u IBM JVM l

41 41 Some Useful Debugging Tips l JVM Thread Dump u Useful for detecting deadlocks or seeing the status of threads u On Unix l kill –QUIT u On Windows l Press Ctrl-Break in the window in which the JVM is running l JVM Heap Dump u Useful for detecting memory problems l Sun JDK 1.4.2_12+ and 1.5.0_06+ only u Add -XX:+HeapDumpOnOutOfMemoryError option to JVM »Will dump heap into a file in binary format on OutOfMemoryError »Use a tool to examine the heap dump l IBM JDK 5.0 u Will dump heap automatically on OutOfMemoryError

42 42 New Features in GT 4.2 l HTTP/S connection persistence u Improves performance especially for HTTPS connections l WS-Enumeration support u Large XML datasets can be returned a chunk at a time u Service API for adding WS-Enumeration capabilities to any service l TargetedXPath query dialect u Improved, more efficient XPath querying of resource properties l Use namespace prefixes reliably in the query expression u Explicit namespace mappings sent with the query l Query a particular resource property instead of the entire resource property document l Return query results as WS-Enumeration

43 43 New Features in GT 4.2 l Dynamic Deployment (standalone container only) u Deploy or undeploy (remotely) a service from the container without restarting it u Direct the container to reinitialize itself (after configuration change) l SOAP with Attachments u Standalone container will now handle attachments u DIME, MIME, MTOM formats supported l Other u Updated 3 rd party libraries (including Axis) u Automatic validation of WSDD, JNDI, security descriptor files u Error codes in error messages

44 44 Questions? l More information u GT 4.0.x l u Latest documentation (for GT 4.2) l drafts/common/javawscore/ l Contribute to Java WS Core u

45 45 GT Java WS Security

46 46 l Authentication u Establish identity of an entity l Message Protection u Integrity u Privacy l Delegation u Empower an entity with rights of another l Authorization u Ascertain and enforce rights of an identity Security Concepts Overview

47 47 1. Authentication Framework u Message Protection 2. Delegation 3. Authorization Framework u Attribute Processing 4. Security Descriptor Framework 5. Writing secure service, resource and client Outline

48 48 Authentication Framework

49 49 Authentication Schemes l Secure Transport u Secure Sockets (https) u Anonymous access support u Container-level configuration l Secure Message u Each individual message is secured u Replay Attack Prevention l Secure Conversation u Handshake to establish secure context u Anonymous access support

50 50 Server-side features l Message Protection options u Integrity and Privacy l Configure required authentication as policy u At service or resource level u Programmatic or security descriptors l Server response u Same authentication scheme as request

51 51 Client-side features l Configurable client side authentication u Per invocation granularity u Properties on the Stub u Programmatically or Security Descriptors l Message Protection options u Integrity and Privacy u Default: Integrity protection

52 52 Related Utility API l To get peers subject: u SecurityManager.getManager().getPeerSubject () l To get peers identity u SecurityManager.getManager().getCaller()

53 53 Delegation

54 54 Delegation Service l Higher level service l Authentication protocol independent l Refresh interface l Delegate once, share across services and invocation Client Service1 Service2 Service3 Delegation Service Hosting Environment Resources Delegate EPR Refresh DelegateRefresh

55 55 Delegation l Secure Conversation u Can delegate as part of protocol u Extra round trip with delegation u Delegation Service is preferred way of delegating l Secure Message and Secure Transport u Cannot delegate as part of protocol

56 56 Authorization Framework

57 57 Server-side Authorization Framework l Establishes if a client is allowed to invoke an operation on a resource l Only authenticated calls are authorized l Authorization policy configurable at resource, service or container level

58 58 Server-side Authorization Framework l Policy Information Points (PIPs) u Collect attributes (subject, action, resource) u Ex: Parameter PIP l Policy Decision Points (PDPs) u Evaluate authorization policy u Ex: GridMap Authorization, Self Authorization l Authorization Engine u Orchestrates authorization process u Enforce authorization policy u Combining algorithm to renders a decision

59 59 GT 4.0 Authorization Framework Authorization Engine (Deny-override) PIP1PIP2PIPnPDP1PDP2PDPn … … Authorization Handler Authentication Framework Identity and public credential of client Appropriate Authorization Engine Message Context (store attributes) Permit Deny Permit

60 60 GT 4.2 Attribute Framework l Normalized Attribute representation u Attribute Identifier: l Unique Id (URI) l Data Type (URI) l Is Identity Attribute ? (boolean) u Set of values u Valid from u Valid to u Issuer l Comparing attributes

61 61 Entity Attributes Attribute1 Attribute2 AttributeB AttributeA AttributeX Identity Attributes Attributes Native Attributes Attribute3 Attribute1 AttributeD AttributeC AttributeY Identity Attributes Attributes Native Attributes Attribute3 Attribute1 AttributeD AttributeC AttributeY Attribute2 AttributeB AttributeA AttributeX Merge Entity1 Entity2

62 62 GT 4.2 Attribute Framework l Bootstrap PIP u Collects attributes about the request: subject, action and resource u Example: X509BootstrapPIP

63 63 GT 4.2 PDP Interface l Access rights u canAccess() l Administrative rights u canAdmin() l Return type: Decision u PERMIT/DENY/INDETERMINATE u Issuer of decision u Validity u Exception, if any

64 64 GT 4.2 Authorization Engine l Pluggable combining algorithm l u Initializes PIPs and PDPs with configured parameters u Invokes collectAttributes() on all PIPs u Merges the entity attributes returned by PIPs u Abstract method engineAuthorize process PDPs l Combines decisions from individual PDPs l Returns Decision l Default combining algorithm u Permit override with delegation of rights u At-least one decision chain from resource owner to requestor for a PERMIT

65 65 GT 4.2 Authorization Framework Authorization Engine Authorization Handler Authentication Framework Identity and public credential of client Appropriate Authorization Engine bPIP1 [owner1] … bPIPn [ownerN] PIP1 [owner1] … PIPn [ownerN] … Request Attributes PIP Attribute Processing PDP Combining Algorithm Attributes PDP1 [owner1] canAdmin canAccess PDPn [ownerN] Decision

66 66 Authorization Engine Precedence l Authorization engine used u Administrative authorization engine (container) 1. Resource level authorization engine 2. Service level authorization engine 3. Container level authorization engine l Default: u X509BootstrapPIP and Self authorization

67 67 Authorized User Information l Getting information on authorized user u $GLOBUS_LOCATION/container- u # Comment out the line below if you want to log every authorization decision the container makes. thorizationHandler=WARN

68 68 l Determines if said service/resource is allowed to cater to the clients request l Pluggable authorization scheme u Defined interface, implement custom schemes l Configured as property on stub or using security descriptors l Examples: Self, Host, Identity, None l Default: Host l Required when secure conversation is used with delegation Client-side Authorization

69 69 GT 4.2 Enhancements l HostOrSelf Authorization u Algorithm: l Do host authorization l If it fails, do self authorization u Set as default in 4.2 code base

70 70 Security Descriptor Framework

71 71 Security Descriptor Overview l Used to configure security properties l Declarative security u Configure properties in files l Different types of descriptors for container, service, resource and client security properties l GT 4.2 Enhancements u Defined schema for each descriptor

72 72 Server-side Security Descriptor l Container descriptor in global section of deployment descriptor u $GLOBUS_LOCATION/etc/globus_wsrf_core/server- config.wsdd u Parameter: containerSecDesc u Can be done only in this file l Service descriptor in services deployment descriptor u Parameter: securityDescriptor l Resource descriptor set programmatically u Load from file or use ResourceSecurityDescriptor object l Loaded as file or resource stream

73 73 GT 4.2 Credentials Configure l Proxy file name u l Certificate and key filename u l Absolute file name, as resource stream, relative to $GLOBUS_LOCATION

74 74 GT 4.2 Service Authentication Policy l Default for all operation : l Per operation configuration:

75 75 GT 4.2 Run-as Configuration l Determines the credential to associate with current thread l Options: caller, system, service, resource l All methods: u l Per method: u

76 76 GT 4.2 Authorization Configuration Permit Override with delegation X509BootstrapPIP is also invoked Only X509BootstrapPIP is invoked

77 77 GT 4.2 Authorization Parameters <containerSecurityConfig xmlns="" xmlns:xsi="" xsi:schemaLocation=" name_value_type.xsd" xmlns:param="">

78 78 Related Utility API l To get resource credential u SecurityManager.getManager().getResourceSubject() l To get service credential u SecurityManager.getManager().getServiceSubject() l To get container credential u SecurityManager.getManager().getSystemSubject() l To get effective credential u SecurityManager.getManager().getSubject()

79 79 Client side descriptor l Security descriptor file u ((Stub)port).setProperty(Constants.CLIENT_DESCRI PTOR_FILE, fileName); u Absolute path or as resource stream or relative to $GLOBUS_LOCATION l Security descriptor object u ((Stub)port).setProperty(Constants.CLIENT_DESCRI PTOR, instance of ClientSecurityDescriptor);

80 80 GT 4.2 Authentication Configuration l GSI Secure Transport l GSI Secure Conversation l GSI Secure Message

81 81 l Authorization Element u l Values: u none u host u self u hostOrSelf u Expected DN as string l Does not support custom authorization configuration GT 4.2 Authorization Configuration

82 82 Writing secure service, resource and client

83 83 Writing Secure Service l Create security descriptor file u Typically placed in service source/etc l Ensure your build process picks up etc directory into gar u Part of the source jar u Name file *security-config.xml l Add parameter to deployment descriptor u

84 84 Writing Secure Service l Write security properties in descriptor file l Deploy service l GT 4.2, Run validate tool u globus-validate-descriptors u All files *security-config.xml are validated

85 85 Writing Secure Resource public class TestResource implement SecureResource { ResourceSecurityDescriptor desc = null; public TestResource() { this.desc = new ResourceSecurityDescriptor(descFileName); } public ResourceSecurityDescriptor getSecurityDescriptor() { return this.desc; } } this.desc = new ResourceSecurityDescriptor(); // set properties programmatically this.desc.setDefaultRunAsType(RunAsValue._caller);

86 86 Writing Secure Client l Construct ClientSecurityDescriptor u From file u Programmatically l Extend from org.globus.wsrf.client.BaseClient u Parses standard security parameters u Use setOptions(stub) to set relevant security parameters l If using GSI Secure Transport, Util.registerSecureTransport() l If contacted service uses GSI Secure Transport, containers identity should be expected

87 87 Questions? l Future Work: u y y l Documentation: u -drafts/security/index.html -drafts/security/index.html l Code: u l Contributions: u

88 88 Say YES to Great Career Opportunities SOFTWARE ENGINEER/ARCHITECT Mathematics and Computer Science Division, Argonne National Laboratory The Grid is one of today's hottest technologies, and our team in the Distributed Systems Laboratory ( is at the heart of it. Send us a resume through the Argonne site (, requisition number MCS- 310886. SOFTWARE DEVELOPERS Computation Institute, University of Chicago Join a world-class team developing pioneering eScience technologies and applications. Apply using the University's online employment application (, click "Job Opportunities" and search for requisition numbers 072817 and 072442). See our Posting on the GlobusWorld Job Board or Talk to Any of our Globus Folks. Question: Do you see a Fun & Exciting Career in my future? Magic 8 Ball: All Signs Point to YES

Download ppt "1 Java WS Core for Developers Rachana Ananthakrishnan Jarek Gawor."

Similar presentations

Ads by Google