<soaprpc/>: services and applications

[Last updated on June 13, 2006]

A list I maintained of web service implementations. Please don’t send me an email about adding to this list- I no longer update this list. I’ve tried to classify implementations as:

• Open source/free implementations
• Commercial Web service stacks
• WS Composition products
• Security implementations:
  • Hardware
  • Software
  • Part of Web service stacks
• Tools

[Originally published June 27, 2005]

Once you start sending large volumes of data over a web service invocation, you often run into performance issue.

There are a range of techniques that can prove useful here:

• Cache some of that information on the client side, instead of sending over everything for each webservice invocation. This is especially useful when some of the information to be sent over is relatively static
• Paginate the information to be sent e.g. instead of sending over entire rows from a database select, send over the first 50, and let the client ask for the next 50 and so on. In this case there is a tradeoff between making multiple remote calls and one single call that returns a large chunk of data.
• Have detail levels. An example of this is the UDDI API, where there a number of ‘find’ calls for returning things like ‘BusinessInfo’ list which doesn’t have all the data stored about a business- just the more commonly used pieces. Clients that need detailed information about a specific business or set of businesses can ‘drill down’ for more information. Again, you’d have a tradeoff here between making multiple remote calls and one single call.
• Compress the data before sending it. This is covered in more detail here and here. The issues that this approach throws up relate to this being non-standard, and thus having an ad-hoc mechanism for getting the client and service agree on the compression mechanism.

[Originally published June 4, 2004]

Now that Web services are being considered for high performance applications- such as scientific computing- the limitiations of XML for messaging are being felt very acutely. No matter what you do for performance [3], once you try transferring huge amounts of, say biological data [5], your performance characteristics won’t be pretty. Its not just the size of the message that is a concern, it is also the overhead of doing a object->XML->object conversion.

There are multiple solutions that have been proposed for this:

1. Compress the XML payload [5]. However, compression isn’t free, and so this approach has a tradeoff between processing and network overhead. Another problem is interoperability – though this can be overcome by specifying the compression protocol as a part of the payload.
2. Use XML accelerators [1] that offload XML processing from Application servers to hardware. Sarvega and Data Power are two companies I know that offer these products.
3. Use SOAP to negotiate a custom binary protocol, and then use that for data transfer [4].
4. An interesting new approach is a Sun initiative called Fast Web services [2] or “Fast”. This uses a binary encoding for the SOAP payload. The higher level protocols (WSDL for contract definition of service etc.) remain unchanged, so in theory you could use standard SOAP-XML for development, and have a switch that turns on the binary protocol for production deployment. The binary protocol is not Java-only, and is standards based- Packed Encoding Rules (PER), also known as X.691. This protocol is a part of the ASN.1 family, and has been around for a while. Work is underway to map XSD to ASN.1. Fast is also backward compatible with non-Fast peers – the approach is “Use Fast when available, and use XML otherwise”.

This is an interesting area to watch- I personally like Fast approach. Sun was supposed to unveil a prototype version of Fast Web services in its Java Web Services Developer Pack (WSDP) early 2004, and I’m waiting for it.

References:

[1] Peter Lin. So You Want High Performance? http://jakarta.apache.org/tomcat/articles/performance.pdf

[2] Paul Sandoz, Santiago Pericas-Geertsen et al. Fast Web Services. http://java.sun.com/developer/technicalArticles/WebServices/fastWS/

[3] Vivek Chopra. Performance best practices for Web services. http://soaprpc.wordpress.com/2009/04/25/performance-best-practices-for-web-services/

[4] Madhusudhan Govindaraju, Aleksander Slominski et al. Requirements for and Evaluation of RMI Protocols for Scientific Computing. http://www.sc2000.org/techpapr/papers/pap.pap261.pdf

[5] Chetna Warade, Virinder Batra et al. Web services for bioinformatics, Part 2- Integrate high-throughput services with Web services. http://www-106.ibm.com/developerworks/library/ws-bioinfo2.html?ca=drs-ws2304

Update [June 18, 2004]: More information of Fast Web services and Fast infoset can be found here.

[Originally posted May 11, 2004]

Performance is always a concern with Web services- there are better ways to designing a performant distributed system than sticking it behind a HTTP port and throwing verbose XML messages at it.

Lately I’ve been exploring some mechanisms to address performance issues for Web services. Most of these approaches target bottlenecks at the lower level SOAP layer, rather than at the design level. I’ve looked at some articles and technical papers that present metrics and guidelines. From them I’ve distilled the following performance best practices:

• Design your Web service interface to minimize the network traffic. A ‘coarse-grained’ API is better, as you minimize the number of requests a client has to make to get information. [1][6]
• Large SOAP messages are a performance bottleneck due to time spent parsing them. Keep your payload size as small as possible [1]
• Complex SOAP message are a performance bottleneck due to time spent serializing/deserializing messages. Keep your payload complexity low. However, payload complexity and payload size are often design tradeoffs. [1]
• SOAP intermediaries (gateways, proxies) should minimize parsing of messages.[1]
• Better XML parsing techniques. [3] For most applications, event driven parsers (SAX style) are more performant than DOM style parsers.[1][6]
• Document/Literal style SOAP messages are smaller and less complex than RPC/SOAP message. [1][5]
• Security has performance costs. Not all SOAP traffic needs to be secure. The performance costs of an end-to-end security (i.e. WS-Security) is, in most cases, higher than a transport level security mechanism like SSL. [1]
• Caching is a way to improve performance for processor-intensive services, though this is applicable only for read-only type of services. [2]
• Many of the performance best practices for web applications will apply here too (using EJBs v/s JavaBeans, passing-by-reference of EJB components, Hardware and capacity settings, JVM setting etc.) [2]
• Persistent connections are good for performance in case of a large number of messages of small payload size. For larger messages, this has less of an effect [3]. HTTP keep-alive is way [2] to request that a HTTP connection persist, though this is a default in HTTP/1.1.
• Streaming connections are good for performance in case of a large payload size. HTTP ‘chunked encoding’ is a kind of streaming, and is supported by HTTP/1.1. [3][6]
• Binary encoding of some payload elements should be considered. [3]

However, all said and done, remember the reasons for which you are choosing Web services – interoperability across heterogeneous environments- and not for performance!

References:

[1] Holt Adams. Web services performance considerations, Part 1. http://www-106.ibm.com/developerworks/library/ws-best9/

[2] Holt Adams. Web services performance considerations, Part 2. http://www-106.ibm.com/developerworks/webservices/library/ws-best10/

[3] Kenneth Chiu, Madhusudhan Govindaraju, et al. Investigating the Limits of SOAP Performance for Scientific Computing. http://www.extreme.indiana.edu/xgws/papers/soap-hpdc2002/soap-hpdc2002.pdf

[4] Madhusudhan Govindaraju, Aleksander Slominski et al. Requirements for and Evaluation of RMI Protocols for Scientific Computing. http://www.sc2000.org/techpapr/papers/pap.pap261.pdf

[5] Frank Cohen. Discover SOAP encoding’s impact on Web service performance http://www-106.ibm.com/developerworks/webservices/library/ws-soapenc/

[6] Dan Davis and Manish Parashar. Latency Performance of SOAP implementations http://www.caip.rutgers.edu/TASSL/Papers/p2p-p2pws02-soap.pdf

[Update May 12, 2004] I found another website that consolidates performance best practices.

[Originally updated September 2005]

My attempt to keep track of all the web service specifications…

[Originally posted on March 23, 2004 ]

CAVEAT: None of this code will probably work- UDDI Business Registries are so very 2001

Some years back (2001?) I had written up a very primitive command line tool to dump data from a UDDI (then V1) registry. I recently updated it for the current version of uddi4j.

The command tool was very optimistically named ‘UDDI Browser’ (source listed at end of article). It enabled you to do things like:

Find a business by name

java com.soaprpc.uddi4j.tools.UDDIBrowser http://uddi.ibm.com/ubr/inquiryapi find_business name ibm

Look at the list of business returned, and drill-down using a business key

java com.soaprpc.uddi4j.tools.UDDIBrowser http://uddi.ibm.com/ubr/inquiryapi find_business key D2033110-3AAF-11D5-80DC-002035229C64

On finding a service you like, you can get information on it:

java com.soaprpc.uddi4j.tools.UDDIBrowser http://uddi.ibm.com/ubr/inquiryapi find_service key 894B5100-3AAF-11D5-80DC-002035229C64

The prerequisites for the code are:

• Apache SOAP- uddi4j works with Axis, however I had problems with the current Axis release. I haven’t verified which Axis version uddi4j works with. however you should use Xerces due to a bug with Crimson- see my comment below. You would have to make a small, one line change in the code to set the correct SOAP transport class.
• Java mail (required by Apache SOAP)
• Java activation framework (required by Apache SOAP)
• And offcoure, uddi4j. Further instructions are here.

Note that if you run this software from behind a proxy server, you would need to specify the proxy host and port at the command line using -Dhttp.proxyHost/-Dhttp.proxyPort.

Most commercial Web service products include a UDDI browser, but if you are looking for an open source/free option and don’t like the primitive interface of my UDDI tool, you do have some options. Many moons ago I worked briefly on one such tool- the now defunct HP Registry Composer. I found a datasheet for it still around on the ‘HP Middleware’ website. Your other (non-defunct) options include soapclient’s web based UDDI browser and an open source SWING based tool called uddibrowse (I’ve seen some screenshots, but haven’t tried it out).

The public UDDI registries (UDDI Business Registry- UBR) have a web based interface too. Uddi4j’s website lists them, but is outdated- it still has HP’s UBR site listed (HP dropped most it’s Web Service offerings about a year and a half/two years ago), and the Microsoft UBR address is incorrect. A complete list is:

If you are planning to publish to the UDDI registry, you should use the ‘test’ registries. These currently support UDDI V3 Beta, and are backwards compatible with the UDDI V2 API.

Source code for UDDIBrowser  (see the circa 2001 usage of java.util.Vector!)

/**
 * This code is licensed under the following terms:
 *   Creative Commons Attribution-NoDerivs-NonCommercial 1.0
 *   http://creativecommons.org/licenses/by-nd-nc/1.0/
 *
 * Copyright (c) soaprpc.com. All rights reserved.
 */
package com.soaprpc.uddi4j.tools;

import org.uddi4j.*;
import org.uddi4j.client.*;
import org.uddi4j.datatype.*;
import org.uddi4j.datatype.assertion.*;
import org.uddi4j.datatype.binding.*;
import org.uddi4j.datatype.business.*;
import org.uddi4j.datatype.service.*;
import org.uddi4j.datatype.tmodel.*;
import org.uddi4j.request.*;
import org.uddi4j.response.*;
import org.uddi4j.transport.*;
import org.uddi4j.util.*;

import java.io.*;
import java.net.*;
import java.util.Properties;
import java.util.Vector;

/**
 * The UDDIBrowser class is a command line based UDDI registry browser
 *
 * @author Vivek Chopra (www.soaprpc.com)
 */
public class UDDIBrowser {
    /**
     * The UDDIProxy object. All API calls to the UDDI registry are made against
     * this object.
     */
    private UDDIProxy _uddiProxy;

    public UDDIBrowser(UDDIProxy uddiProxy) {
        _uddiProxy = uddiProxy;
    }

    /*
     * Utility method for dumping the DispositionReport
     */
    void printUDDIExceptionDetail(UDDIException uddiException, String message) {
        System.out.println(message + "\n");

        DispositionReport dispositionReport = uddiException.getDispositionReport();

        if (dispositionReport != null) {
            System.out.println("UDDIException faultCode:" +
                uddiException.getFaultCode() + "\n operator:" +
                dispositionReport.getOperator() + "\n generic:" +
                dispositionReport.getGeneric());

            Vector results = dispositionReport.getResultVector();

            for (int i = 0; i < results.size(); i++) {
                Result result = (Result) results.elementAt(i);
                System.out.println("\n errno:" + result.getErrno());

                if (result.getErrInfo() != null) {
                    System.out.println("\n errCode:" +
                        result.getErrInfo().getErrCode() + "\n errInfoText:" +
                        result.getErrInfo().getText());
                }
            }
        }
    }

    /* Browse by Business Name- return all matching business entities */
    private void browseBusinessByName(String businessName) {
        BusinessList businessList = null;

        try {
            Vector names = new Vector();
            names.add(new Name(businessName));

            businessList = _uddiProxy.find_business(names, null, null, null,
                    null, null, 0);
        } catch (UDDIException e) {
            printUDDIExceptionDetail(e,
                "UDDI error browsing for businesses in UDDI Registry");
            System.exit(1); /* fatal error */
        } catch (Exception e) {
            System.out.println(
                "Exception browsing for businesses in UDDI Registry: " +
                e.getMessage());

            // e.printStackTrace ();
            System.exit(1); /* fatal error */
        }

        /* Since logging is enabled, all request and response messages will be
         * dumped to console
         */
    }

    /* Browse by Business key- return an entire businessEntity */
    private void browseBusinessByKey(String businessKey) {
        Vector vector = new Vector();
        vector.addElement(businessKey);

        BusinessDetail businessDetail = null;

        try {
            businessDetail = _uddiProxy.get_businessDetail(vector);
        } catch (UDDIException e) {
            printUDDIExceptionDetail(e,
                "UDDI error browsing for businesses in UDDI Registry");
            System.exit(1); /* fatal error */
        } catch (Exception e) {
            System.out.println(
                "Exception browsing for businesses in UDDI Registry: " +
                e.getMessage());

            // e.printStackTrace ();
            System.exit(1); /* fatal error */
        }

        /* Since logging is enabled, all request and response messages will be
         * dumped to console
         */
    }

    /* Browse by Service key- return an entire businessService */
    private void browseServiceByKey(String businessServiceKey) {
        Vector vector = new Vector();
        vector.addElement(businessServiceKey);

        ServiceDetail serviceDetail = null;

        try {
            serviceDetail = _uddiProxy.get_serviceDetail(vector);
        } catch (UDDIException e) {
            printUDDIExceptionDetail(e,
                "UDDI error browsing for services in UDDI Registry");
            System.exit(1); /* fatal error */
        } catch (Exception e) {
            System.out.println(
                "Exception browsing for services in UDDI Registry: " +
                e.getMessage());

            // e.printStackTrace ();
            System.exit(1); /* fatal error */
        }

        /* Since logging is enabled, all request and response messages will be
         * dumped to console
         */
    }

    /* Browse by tModel Name- return all matching tModel infos */
    private void browseTModelByName(String tModelName) {
        TModelList tModelList = null;

        try {
            tModelList = _uddiProxy.find_tModel(tModelName, null, null, null, 0);
        } catch (UDDIException e) {
            printUDDIExceptionDetail(e,
                "UDDI error browsing for tModels in UDDI Registry");
            System.exit(1); /* fatal error */
        } catch (Exception e) {
            System.out.println(
                "Exception browsing for tModels in UDDI Registry: " +
                e.getMessage());

            // e.printStackTrace ();
            System.exit(1); /* fatal error */
        }

        /* Since logging is enabled, all request and response messages will be
         * dumped to console
         */
    }

    /* Browse by tModel key- return a TModelDetail structure */
    private void browseTModelByKey(String tModelKey) {
        Vector vector = new Vector();
        vector.addElement(tModelKey);

        TModelDetail tModelDetail = null;

        try {
            tModelDetail = _uddiProxy.get_tModelDetail(vector);
        } catch (UDDIException e) {
            printUDDIExceptionDetail(e,
                "UDDI error browsing for tModels in UDDI Registry");
            System.exit(1); /* fatal error */
        } catch (Exception e) {
            System.out.println(
                "Exception browsing for tModels in UDDI Registry: " +
                e.getMessage());

            // e.printStackTrace ();
            System.exit(1); /* fatal error */
        }

        /* Since logging is enabled, all request and response messages will be
         * dumped to console
         */
    }

    /* Print usage message */
    private static void usage() {
        System.out.println(
            "usage: UDDIBrowser <inquiry_url> <find_business|find_service|find_tmodel> <options>\n" +
            "             <options> are :\n" +
            "             [for find_business]\n" +
            "             name <partial_business_name>\n" +
            "             key  <businessKey>\n\n" +
            "             [for find_service]\n" +
            "             key  <serviceKey>\n\n" +
            "             [for find_tmodel]\n" +
            "             name  <partial_tmodel_name>\n" +
            "             key  <tModelKey>");
    }

    public static void main(String[] args) {
        /* Process command line arguments */
        if (args.length < 2) {
            usage();
            System.exit(1);
        }

        /* Set up UDDI4J system properties */
        /* Set SOAP transport class to Apache SOAP */
        System.setProperty(TransportFactory.PROPERTY_NAME,
            "org.uddi4j.transport.ApacheSOAPTransport");

        /* Enable logging to dump messages to console */
        System.setProperty("org.uddi4j.logEnabled", "true");

        String inquiryUrl = args[0];

        String inquiryMethod = args[1];

        if (!inquiryMethod.equals("find_business") &&
                !inquiryMethod.equals("find_service") &&
                !inquiryMethod.equals("find_tmodel")) {
            System.out.println("Inquiry method '" + inquiryMethod +
                "' not valid- has to be one of find_business|find_service|find_tmodel");
        }

        /* Construct a UDDIProxy object- this represents a UDDI server
         * and the actions that can be invoked against it.
         */
        UDDIProxy uddiProxy = new UDDIProxy();

        /* Set the inquiry URL */
        try {
            uddiProxy.setInquiryURL(inquiryUrl);
            System.out.println("Using Inquiry URL [" + inquiryUrl + "]");
        } catch (MalformedURLException e) {
            System.out.println("Malformed publish URL for the UDDI registry [" +
                inquiryUrl + "]: " + e.getMessage());
            System.exit(1);
        }

        /* Make the inquiry call to the UDDI registry */
        UDDIBrowser browser = new UDDIBrowser(uddiProxy);

        if (inquiryMethod.equals("find_business")) {
            if (args[2].equals("name")) {
                browser.browseBusinessByName(args[3]);
            } else if (args[2].equals("key")) {
                browser.browseBusinessByKey(args[3]);
            } else {
                usage();
            }
        } else if (inquiryMethod.equals("find_service")) {
            browser.browseServiceByKey(args[3]);
        } else if (inquiryMethod.equals("find_tmodel")) {
            if (args[2].equals("name")) {
                browser.browseTModelByName(args[3]);
            } else if (args[2].equals("key")) {
                browser.browseTModelByKey(args[3]);
            } else {
                usage();
            }
        } else {
            usage();
        }
    }
}

[Originally posted on March 17, 2004]

Some time back, I was preparing a document on Web service standards- specifically security related ones- and was overwhelmed by the sheer number of them. I wrote up this rough guide to the Web services ‘alphabet soup’ to help me get a big picture of what the standards are, and where they fit in.

Basic standards

• SOAP (Simple Object Access Protocol) defines the format of messages on the ‘wire’.
• WSDL (Web Services Description Language) is used to describe the programmatic interface exposed by a Web Service, and (optionally) the URL for accessing it.
• UDDI (Universal Description, Discovery and Integration) allows for discovery of not just Web services, but also supports a more general ‘yellow page’ lookup for companies and services that they provide.
• WS-Inspection is a lightweight discovery standard being pushed by Microsoft and IBM that merges their earlier efforts- IBM’s Advertisement and Discovery of Services (ADS) and Microsoft’s Discovery of Web Services (DISCO).

The discovery standards haven’t (as of date) had a lot of traction. SOAP & WSDL on the other hand, are widely in use.

Web service Composition standards

• BPEL4WS (Business Process Execution Language for Web Services) consolidates Microsoft’s XLANG and IBM’s Web Services Flow Language (WSFL)
  • WS-Coordination is used along with BPEL4WS for coordinating services
  • WS-AtomicTransaction defines the atomic transaction coordination type used by WS-Coordination specification.
• WSCI (Web Service Choreography Interface)- Sun’s alternative to BPEL4WS. It is now a W3C Note, however BPEL4WS has had more acceptance in the market.
• BPML (Business Process Modeling Language)- been around longer than the other standards, but doesn’t have backing from any major enterprise software company. Ok, BEA is listed as a member, BEA is also an author for BPEL4WS and WSCI. Go figure!

These three competing standards allow for workflow-type applications with Web services.

Web Service QoS standards

• WS-Transaction defines a transaction model for Web Services.
• WS-ReliableMessaging deals with reliably delivery of messages between Web Services and client applications.

Security Standards

Security for Web services can be achieved at two levels- either at the ‘wire’ level or at an XML level. Wire level security, also called Transport layer security uses existing Internet protocols to secure the traffic between the Web Service and the client application. For example you can use:

• HTTP based authentication (HTTP BASIC, HTTP Digest, HTTP CLIENT-CERT)
• SSL for encrypting data
• Either a custom access control mechanism, or a J2EE/Realm based access control

Wire level security is fine so long you have one Web Service provider and a simple security policy. However, things become difficult if you have a number of Web Service providers, or a document being passed around by different services (such as in a workflow). This is because transport layer security mechanisms only secure the information exchange between two application endpoints: they do not provide for an end-to-end security model.

In XML level security, also called Message level security, the security information and access policies are bundled in the message itself. There is a long list of standards in this space, though the ones that have some market acceptance at the moment are XML-Encryption, XML-Signature (also used as a part of WS-Security) and SAML.

• The basic Message level security standards
  • XML-Signature is an XML syntax for digital signatures
  • XML-Encryption specifies how an XML can be used to represent a digitally encrypted web resource, including another XML document
  • XKMS is a protocol for distributing and registering public keys, and is intended to be used along with XML-Signature.
  • WS-Security is a protocol neutral mechanism for securing SOAP messages. It builds upon XML-Signature and XML-Encryption, and also specifies how security tokens can be associated with messages.
• Security token standards

• • X.509 certificates
  • Kerberos tickets
  • SAML assertions

These standards aim to enable interoperable authentication and authorization across systems. This is done by having security tokens bundled along with a SOAP message, and these tokens can be in any format, such as:

X.509 and Kerberos have been around for a long time- they pre-date Web Services. SAML (Security Assertion Markup Language ) is however getting a lot of commercial attention, and has a number of implementations. There is another standard with some overlap to SAML called XACML (eXtensible Access Control Markup Language), which, as the name suggests, is an access control rule language.

• Identity
  • Passport from Microsoft
  • Liberty from a consortium started by Sun

  Liberty and Passport try to solve the same problem (single sign on, identity) but approach it differently. Liberty has a federated architecture and is based on SAML. It consists of a set of specifications and depends on vendors to provide implementations. Passport, on the other hand, is a centralized service run by Microsoft, and is implemented in Microsoft’s Hotmail, Messenger and ISP services.

• Federation and trust related
  • WS-Federation defines mechanisms that are used to “enable identity, account, attribute, authentication, and authorization federation across different trust realms”.
  • WS-Trust (Web Services Trust Language) is an extension to WS-Security that specifies how security tokens are exchanged and trust established.
• Policy management standards
  • WS-Policy (Web Services Policy Framework) is a model for describing the policies of a Web service. It can be extended to describe service requirements, preferences, and capabilities.
  • WS-SecurityPolicy (Web Services Security Policy) is the WS-Policy Policy assertions that apply to WS-Security
• The other security standards (the ones that couldn’t classify!)
  • WS-SecureConversation builds on WS-Security and defines how security contexts are establishing and shared, and how session keys can be derived from these contexts.
  • WS-Authorization will define how Web Services manage authorization data and policies
  • XrML (eXtensible rights Markup Language) is a language for expressing rights and conditions associated with digital content.
  • WS-Privacy will define how Web Services state and implement privacy practices.

Grid computing related standards

Some new standards that aim to integrate Web Services and Grid computing:

• WS-Notification supports a publish-subscribe notification mechanism using Web Services.
• WS-ResourceFramework is a group of specifications for accessing stateful resources using Web services.
• WS-Eventing provides event notification. This is supported by Microsoft, among others, and has overlap with the IBM supported WS-Notification and WS-ResourceFramework standards.