Web Services[c] Theory and Practice

Distrust and caution are the parents of security.

”Benjamin Franklin

Overview

Deployment- and management- related concerns, in practice, will circumscribe all the real-world operational issues currently facing those trying to use or offer production-grade Web services for enterprise-level applications. This, as the saying goes, is when the rubber really hits the asphalt when it comes to Web services, or when one quite literally has to start reconciling the hype with the hardware. The real problem here, to immediately cut to the chase, is that the dynamics surrounding Web services have been dramatically undermined by circumstances outside the scope of Web-services technology and industry.

It is fair to say that the world ” socially , economically, and technologically ”has changed quite a bit and unexpectedly between mid-2000, when Web services were first being postulated, and now. First, there was the crash and burn of the dot.coms that tarnished the credibility, even if it was subliminally, of e-business. Then there was 9/11!

While the repercussions of 9/11 were still reverberating, there was the anthrax scare. The threat of terrorism, in all forms, including that of cyber-terrorism, started to impact all forms of decision making, whether corporate or personal. A siege mentality set in. In big cities such as New York people wait for another shoe to drop. The relentless attacks by the hacker community continue to add insult to injury . Pantophobia, a fear of everything, is rife. There are people who have stopped opening regular mail and others who have stopped using e-mail.

It is against this pervading climate of uncertainty and fear, where trust is in short supply, that one now tries to promote Web services ”a brand new, unproven, iconoclastic technology that advocates information sharing and collaborative processing over the Web. Suffice to say that the original, somewhat utopian model of Web services being dynamically located (using UDDI and WSDL) and then automatically exploited ”in a free-wheeling, take it for a test spin, plug-and-play manner ”is now pass, especially when it comes to enterprise-class applications. There is an evocative analogy here pertaining to the free love culture of the mid-1960s and what happened to all of that with the advent of the deadly STDs.

The concept of glibly sourcing software functionality over the Internet from previously unknown service providers is no longer viable at the enterprise level ”despite all protestations from the cognoscenti that it is indeed possible to have safe and secure scenarios. While the standards-based technology offered by Web services still has tremendous potential and appeal , for the time being, the purveyors of Web services will have to be carefully vetted by using the traditional due-diligence methods involving reference checks, credit ratings (e.g., Dun & Bradstreet rating), installed base, financial reports , and testimonials. UDDI ”which already includes the Publisher-Assertions structure, which can be used to enumerate certifications, memberships, relationships and so on ”could still help in providing initial (and moreover programmatic) first-cut validation. There can even be WSDL-centric service contracts. But most enterprises will want some level of face-to-face interaction with potential Web-service providers ”even if it is via videoconferencing.

In addition to wanting traditional validation of providers, there is also an understandable preference by most corporations, at present, for acquiring or licensing required Web services from their providers and then deploying them on in-house servers, behind the corporate firewall. This obviously eliminates the uncertainty and risk of relying on a Web service being run by a third party at a remote location. It all boils down to control. In today s climate of uncertainty and distrust, enterprises want to have as much control as possible of their destinies ”and that means controlling as much as possible of their IT systems, resources, and dependencies. This does not preclude outsourcing, but outsourcing done with control, contracts, and commitments. Web-service use, rather than being Internet oriented, has, for the time being at least, become intranet/extranet focused.

These concerns about trust, security, and thus control have in essence changed the fundamental Web-services paradigm in the eyes of corporate IT professionals. There is now an added level of complexity and expense. Bernard Borges, an IBM Web-services architect, was quoted in the September 8, 2003, issue of InfoWorld as saying, People in general thought Web services were simple and cheap, and it turns out they are complex and not so cheap. I think the whole notion of a Web service was using them as a simple integration tool. [But] it painted a rather rosy and low-tech picture compared with proprietary EAI products. And, as InfoWorld notes, somewhat tongue in cheek, IBM, as a Web-services pioneer, was one of the parties instrumental in propagating the Web services are simple picture. But life in general was simpler prior to 9/11.

The bottom line here is that the Web services-in-practice paradigm has changed between what was first thought when the XML Web-services vision was postulated in mid-2000 to what is thought now as enterprises wrestle with how best to exploit Web services in a safe and secure manner. The intelligentsia faction of the Web-services community continues to try to address some of these deployment-related issues with new standards. To this end there is the nascent Web Services Manageability 1.0 specification, as well as a raft of security-related specifications such as Web Services Policy Attachments, Web Services Policy Assertions, Web Services Trust Language, Web Services Secure Conversation Language, Web Services Security Policy Language, and Web Services Policy Framework, as shown in Table 1.1. These emerging standards, however, have a long way to go and need to be bolstered with other identity and trust management standards before enterprises will be willing to again explore the dynamic, free-wheeling model first espoused for Web services.

Table 7.1 summarizes how the Web-services usage model has changed since its inception, while Figure 7.1 depicts this change graphically.

Table 7.1: Web Services Usage Model from an Enterprise Usage Perspective

Initial Expectations

Reality, mid-2003

  • Dynamic, on-the-fly location and invocation

  • Invoke and use across the Internet

  • Mechanism to facilitate exploitation of external, third-party software functionality

  • Focus on functionality and results rather than the platform

  • Distributed, trust-based control

  • Usage-based payment model

  • Distributed management across domains

  • Simplicity is the byword

  • Inexpensive means of obtaining software functionality

  • Service provider can update Web-service software provided I/O model and promised results stay the same

  • Standard Web-centric security measures based on authentication, digital certificates, digital signatures, SSL, firewalls, etc., will suffice

  • New distributed, decentralized software model

  • Standards based and simple ”no need for expensive consultants

  • Simplify and expedite application integration

  • Dynamic location (using UDDI) but careful evaluation of providers credentials prior to trying out the Web service

  • Usage restricted to intranet/extranet behind firewalls

  • Methodology for in-house software development and software functionality sharing between selected partners

  • Need to know about the platform, because the platform could be an issue

  • Tight, in-house control

  • Acquire or license Web service so that it can be deployed in-house

  • Centralized, in-house management

  • Not as simple as hoped ”security concerns alone make it much more complex and convoluted

  • Not as inexpensive as initially hoped but still attractive

  • Any and all changes to the Web-services software or infrastructure need to be carefully vetted, regression checked, and monitored

  • Security concerns will continue to dampen all out exploitation of what Web services can offer

  • XML-based extension to intra-enterprise object-oriented programming

  • Better hire some consultants to determine optimum strategy, options, and action plan

  • Jury is still out

Figure 7.1: While the original Web-services model envisaged Web services being freely invoked across the Internet, the current corporate preference is the intranet/extranet model.

Категории