Overview of Web Services

08/06/2009

TELECOM

SAGAR VARMA MANTENA

sagarvarma.m@tcs.com
 Overview of Web Services

Abstract

Organizations today have attempted to link inter-organizational, inter-functional and

interpersonal levels of their organizational processes via Web services. They have
undertaken this process in anticipation of reshaping and improving their core business
processes. This document details how Web services could potentially make a significant
different in the integration of software applications across multiple platforms, sites and
departments of an organization.

What are Web Services?

Web services are the small software components that are available over the Internet.
Publishing as Web services makes the software applications more reusable and shared by
many more users. Web services enable business partnering and thereby generate a great
way of revenue streaming for the companies. It also helps in reducing the development,
integration, and maintenance cost of the software application.
Simple Object Access Protocol (SOAP) is the communication protocol that helps in
transporting the Extensible Markup Language (XML) messages between the client and
server. SOAP is nothing but XML over Hypertext Transfer Protocol (HTTP). When the Web
service client makes a request, the SOAP client application programming interface (API)
constructs a corresponding XML message containing the remote method name and value
for its parameters and sends the XML message over HTTP to the server hosting the Web
services. The server receives the XML message, executes the business logic (may be written
in Java), and sends the response back to the client.
The Web services paradigm includes a programming model for application integration
that does not discriminate between applications deployed inside and outside the
enterprise. Integration and development of Web services can be done in an incremental
manner, using existing languages and platforms and adopting existing legacy applications
(Figure 2.1). One of Web services' anticipated benefits is that human end-user interaction
in the normal data entry Web application can be replaced by direct application-to-
application communication.

Internal Use 2
 Overview of Web Services

Figure 2.1: Web services integration model

Looking at the benefits of Web services, few issues in using Web services cannot be
overlooked as well. The primary issue is security. The other Web applications, such as Java
Servlets, are being accessed via HTTP browser. The user-specific information can be stored
in the HTTP session and used for users' session tracking. A fine example of this is the
shopping cart application.
However, because Web services are being invoked by the stand-alone client applications,
the server could not have any idea about the user who is actually making the request. This
would pose a major problem that any unauthorized user may consume our Web services
and we do not have any control on this. Another serious problem is the tampering of XML
messages while they are transmitted over wire.
Using XML, business analysts can define policies and express them as EML documents.
These documents can have sections that are encrypted and the documents can be digitally
signed, distributed, and then interpreted by the security mechanisms that configure the
local software. This will allow various implementations to map from the XML description to
a local platform-specific policy enforcement mechanism without requiring changes to the
infrastructure.

Web Services Approach

This new approach introduces the proxy-based lightweight framework for providing
secure access to the Web services being requested by the clients. The basic idea is to
deploy a proxy Web service that receives the request from the end client on behalf of the
actual Web service. The proxy service authenticates the end client by validating the client's

Internal Use 3
 Overview of Web Services

credentials, which he/she had sent along with the Web service request. If the client is
authenticated successfully, he/she will be given access to the requested service.
The advantages of this approach are as follows:
It is based on message-level security.
It does not only authenticate the user, but it also verifies the message integrity.
It does not disturb the actual Web service, which may be running on the
production server.
It acts like a plug-in; it can be removed and replaced with any other solution at any
point in time.
It hides the actual Web service; the process is abstracted from the client. The client
would not know that his/her request has been intercepted and processed by a
proxy.
Integrating new handlers, such as auditing and notification, is very easy. Whereas an
auditing handler is for maintaining the service access information, a notification handler
could be used for sending e-mails to the service providers in case of any problem in
accessing the service.
Regarding the performance of the proxy approach, because of the introduction of a proxy
in the communication path of end service, the invocation time will be a little longer.
However, the performance figures are more acceptable.
The proxy Web service uses Web services handlers to intercept XML messages used in Web
services. It contains two major components, namely:
Authentication handler
Proxy client
The authentication handler is realized by using a Web service handler and the proxy client
is the back-end component. The two components are packaged into a single Web service.
While the authentication handler authenticates the client, the proxy client invokes the
actual Web service.
To start with, the end client sends the request to the Web service proxy along with its
credentials. The credentials could be either a clear text password or a digital certificate. In
case of basic authentication, the credentials (username and password) need to be sent as
HTTP header parameters. In the case of advanced authentication, the end client signs the
XML message with his/her digital certificate and sends the signed XML message to the
server. Now the client has done its job.
On the server side, the authentication handler acts as an XML interceptor, which receives
the XML message and the HTTP header parameters, if any. Depending on the type of
authentication mechanism needed, the corresponding implementation is invoked to verify
the credentials. By providing many hooks, different kinds of implementations for the

Internal Use 4
 Overview of Web Services

authentication could be integrated very easily. The Lightweight Directory Access Protocol
(LDAP) server can act as an ACL repository, which stores all the clients' profiles.

Figure 2.2: Proxy-based approach to Web services.

In the process of authenticating the client, the credentials being sent by the clients can be
verified against the credentials stored in the ACL repository. If they are found to be
matching, the user is authenticated successfully. Otherwise, the authentication process is a
failure and the handler will send the failure message to the end client. In the case of
successful authentication, the proxy client invokes the actual Web service by constructing
a new SOAP message and sending it to the server hosting the actual Web service.
As far as the end client is concerned, he/she receives the response from the proxy Web
service and the whole logic of authentication and actual service invocation is abstracted
out. The other advantages of this new proxy approach over other products are as follows:
Lightweight framework
Low cost
Easy to integrate
Quick to deploy
Web services are not a disruptive approach to hosted services rather they are an additive
step forward. They will provide a standards-based way for different services and
applications to interoperate, which will greatly reduce the integration hurdles. In the
process, Web service will also give increased flexibility to create and deliver more
personalized hosted solutions for their customers.
Considering Web services are created and distributed by multiple entities, an ASP would
not be able to ensure that individual Web services will be developed or run on the
infrastructure of their choice. However, the ASP must develop and deploy its own services
with infrastructure that complies with Web services standards. This will ensure that
services can efficiently interact with, and take advantage of, other Web service
components.

Internal Use 5
 Overview of Web Services

Web Services Impact

Web services are the current tools best suited to the ability to bridge the multiplicity and
complexity of existing IT infrastructures. Web services are self-contained, modular business
process applications that Web users or Web connected programs can access over a
network - usually by standardized XML-based interface and in a platform-independent and
language-neutral way. This makes it possible to build bridges between systems that
otherwise would require extensive development efforts. Such services are designed to be
published, discovered, and invoked dynamically in a distributed computing environment.
By facilitating real-time programmatic interaction between applications over the Internet,
Web services may allow companies to exchange information more easily in addition to
other offerings, such as leverage information resources, and integrate business processes.
Users can access some Web services through a peer-to-peer arrangement rather than by
going to a central server. Through Web services systems can advertise the presence of
business processes, information, or tasks to be consumed by other systems. Web services
can be delivered to any customer device and can be created or transformed from existing
applications. More importantly, Web services use repositories of services that can be
searched to locate the desired function so as to create a dynamic value chain. The future of
Web services goes beyond software components, because they can describe their own
functionality as well as look for and dynamically interact with other Web services. They
provide a means for different organizations to connect their applications with one another,
no matter what their applications, design, or run-time environment.
Web services represent a significant new phase in the evolution of software development.
It provides intelligent enterprises with the capability of overturning the accepted norms of
integration and thereby allowing all businesses to rapidly and effectively leverage the
existing IT and information assets at their disposal.

Conclusion

This document has discussed Web services and the security issues involved in using Web
services. It also briefed about the various solutions available and how the proxy-based
approach can be very useful for securing Web services.

Internal Use 6