Tutorial 8

Best practice in Web Services architecture and development has moved on since the days where the technology was used as a platform-agnostic RPC mechanism. Best practice in modern Web Services architecture is to consider problems in terms of explicit message passing between autonomous computational entities, in arbitrary message exchange patterns over arbitrary protocols. Over time Web Services middleware has evolved to support this notion and now both .Net and Java provides a message-oriented abstraction for composing Web Services into applications and security and policy infrastructure.

This tutorial is derived from an extended version of a talk given for the ACS Web Services SIG and an abbreviated version of a commercial training course, and supported by a chapter in the forthcoming MIT Press book, ��Readings in Service Orientation: The Web Services Phenomenon.�� It will last for approximately 3 hours and introduce the message-oriented aspects of common Web Services middleware and show how to apply its features to building Web Services with interesting transport-neutral message exchange patterns and security requirements. The tutorial will be code-focussed and will take the audience through the design and implementation of a fully-featured Web Services application based on the classic noughts-and-crosses (or tic-tac-toe) game. Once the implementation has progressed to the point where the game can be played between two remote players, it will be used as a test bed to illustrate various aspects of WS-Security (via WS-Policy) to show how messages exchanges can be made robust against tampering, non-repudiable, and private.

1. The tutorial will begin with a brief recap on the history of Web Services and how we arrived at today��s message-oriented model. We will also introduce a three tiered model for the generic architecture of a Web Service showing how services decouple protocol, messaging, and application layers;
2. We will then address the problem domain, and introduce the noughts-and-crosses (tic-tac-toe) game in an informal manner �C by challenging a member of the audience to a game;
3. By following the series of moves made by both players in the informal game, we will derive a number of exchanged messages plus message exchange patterns which we will capture and use at the basis for our subsequent implementation;

Implementation (2 hours)

4. Having established the messages and message exchanges that we need to support, we will then write the WSDL contracts for the application. These contracts will be initially used to guide the coding phase of the tutorial, but will later be augmented with policies to control the security aspects of the application;
5. We will then review the messaging features that WCF supports with a particular emphasis on transport-neutral messaging based on WS-Addressing (which will be briefly discussed) to press home the fact that Web Services are not coupled with HTTP;
6. Using the MessageContract features from the WCF framework we will implement messages that the application will exchange;
7. We will show how the bindings and messaging features of WCF can be used to exchange those messages between parties using TCP as a transport;
8. Once we have the ability to exchange messages according to the WSDL contracts of the services, we will create the necessary state machines required to run the game;
9. At this point in the tutorial we will have the basic infrastructure required to play a simple game of noughts-and-crosses. We will introduce a simple (pre-built) GUI into the application and re-invite our chosen audience member for a re-match. During this rematch we will be snooping on the network traffic to highlight the messages and message exchange patterns on the wire, as well as to plant the notion that we have implemented an insecure and untrustworthy application;

Securing the Application (30 mins)

10. Having played one insecure game, we will invite our audience member to continue to play to best of three. At this point we will begin cheating! Since we know the message format and exchange patterns we will demonstrate that it is possible to forge game messages to disrupt play;
11. We will then revisit the wire level messages and show how the digital signature aspects of WS-Security works, and how it dovetails with the WS-Policy contracts which complement our WSDL contracts;
12. Since we will have been snooping on network traffic for the whole match, privacy is a concern. We will show how once again WS-Policy can be used to declaratively enforce message-level encryption based on WS-Security. At this stage we will have a game which cannot be either corrupted or monitored by third parties, and which can be used as a vehicle for further experimentation by the audience �C and further expansion for future tutorials (e.g. by adding reliable messaging, transactions, events, etc. into the architecture).

The target audience for this tutorial consists of programmers, developers, and those in a technically-oriented managerial role. The audience should be familiar with the fundamentals of Web Services (SOAP, WSDL) to the point where they can generally understand the meaning of both. It would be useful for the audience to have a good understanding of a modern enterprise platform (e.g. .Net  or Java) but direct experience of building Web Services is not necessary. It would also be advantageous, but not essential, if the audience were aware of some of the other WS-* specifications such as WS-Addressing and WS-Security.

Dr. Jim Webber is the SOA practice lead for ThoughtWorks where he works on dependable service-oriented systems . Jim was formerly a senior researcher with the UK E-Science programme where he developed strategies for aligning Grid computing with Web Services practices and architectural patterns for dependable Service-Oriented computing. Jim has extensive Web Services architecture and development experience as an architect with Arjuna Technologies and was the lead developer with Hewlett-Packard on the industry's first Web Services Transaction solution. Jim is an active speaker in the Web Services space and is co-author of the book "Developing Enterprise Web Services - An Architect's Guide." Jim holds a B.Sc. in Computing Science and Ph.D. in Parallel Computing both from the University of Newcastle upon Tyne. His blog is located at http://jim.webber.name.

Dr. Savas Parastatidis is a program manager with Microsoft Corporation where he develops advanced middleware for distributed computing systems. Savas was formerly a principal research associate at the School of Computing Science, University of Newcastle upon Tyne, UK, and the chief software architect of the North-East Regional e-Science Centre (NEReSC). He is an expert in Grid Computing and Web Services technologies and standards. Previously, Savas co-led an R&D team at HP's middleware division that produced the world's first XML-based transactioning system and did research work in parallel, distributed-memory, object-oriented computing. He is a frequent invited speaker in Grid-related conferences and workshops. Savas�� blog can be found at http://savas.parastatidis.name.