Beruflich Dokumente
Kultur Dokumente
One of the biggest business challenges facing organizations today is leveraging their
existing investments, such as existing applications. Therefore, almost every development
project requires some level of application integration. As development and integration
are very much related, OptimalJs model-driven and pattern-based development
environment is extended to include a model-driven integration environment.
Before you read our technical white paper series, we encourage you to gain a general
understanding of OptimalJ and its use of MDA by reading OptimalJ: An Introduction at
http://www.compuware.com/products/optimalj/detail.htm.
CompuwareCorporation
Web services
Web services, as the name implies, are services offered via the web. A Web
service provides application logic (without worrying about how the Web
service is implemented) that is accessible using standard Internet protocols.
In a typical Web services scenario, a business application sends a request to a
service at a given URL using the SOAP1 protocol over HTTP. The service
receives the request, processes it, and returns a response. The Web service
interface is the only thing the consumer of the Web service needs to know.
The web service interface is described using the Web Services Description
Language (WSDL2). The Web service implementation is relevant only for the
Web service provider.
Web services are the next logical step in the evolution of technology
standards. Web services infrastructure will transform todays software runtimes
into a more flexible service-oriented architecture3 and offer enterprises
significant savings and flexibility in application integration and development.
1
SOAP (Simple Object Access Protocol) - lightweight, extensible protocol for information exchange across different systems and protocols.
Part of the SOAP specification defines a set of rules for how to use XML to represent data.
2
WSDL (Web Services Description Language) - an XML-based contract language that defines a standard mechanism for documenting what
messages a Web service accepts and generates (i.e., interfaces).
3
See white paper: Service Oriented Architecture and OptimalJ http://javacentral.compuware.com/members/downloads/whitepapers.htm
2
Web services provision with OptimalJ
OptimalJ offers the functionality to expose any OptimalJ modeled stateless
Session Bean as a Web service. This is based on the ability to expose EJB
components as Web services. Providing a Web service in OptimalJ entails two
things:
After having defined the Web service definitions at the Domain Model level,
developers can start generating the Application Model in the application tier
by using the Update All Models menu option. OptimalJ generates applications
that are logically layered and service oriented, since the Application Model
consists of three sub-models: Web, EJB and DBMS. Within the context of
Web services, the three sub-models serve the following purposes:
3
EJB Model
The domain service is transformed to an EJBSessionComponent in the EJB
Model. This session component includes the domain service operations,
transformed to methods. At the code level, the session component methods
become part of the component interface of the generated Session Bean. The
EJBSessionComponent belongs to the internal implementation of the Web
service and, therefore, is relevant only for the Web service provider.
Web Model
The generated Web Model contains a Web component with a web action that
represents the domain service operation and its parameters. From this action, a
web front-end can be generated to present the web action parameters. This
web front-end allows developers to test the Web service implementation
within the development environment.
DBMS Model
The DBMS model contains the relational data schema. This schema includes
base table definitions that are transformations of the domain classes in the
class model. From the DBMS model, an SQL script is generated that allows
the implementation of the tables in a database. Again, this is relevant only for
the Web service provider.
After generation of the Application Model out of the Domain Model, the
next step is to generate the Web service from the EJB Model (see figure 3).
4
The generation results in two top-level elements:
To fully implement the Web service logic, developers only provide the method
body for those Session Bean methods that represent the Web service
operations. Free blocks are available for this purpose. This allows developers to
focus on adding value by enhancing business logic that fully supports the
business, rather than building the infrastructure.
5
Web services consumption with OptimalJ
Invoking a Web service based on a services description (WSDL) with
OptimalJ requires a developer to first import an existing WSDL file into
OptimalJs Integration Model by using OptimalJs Web service WSDL import
facility. The Web service WSDL import facility generates an OptimalJ Web
service Integration Model from an existing WSDL file. The import facility
does the following:
reads a WSDL file from the local file system or a remote location. If remote,
a URI (Uniform Resource Identifier) that points to the location and file
name is required. The URI is published by the Web service provider.
handles links to other WSDL files and XML schemas. The links are
specified with the import element in the WSDL file.
analyzes the file using WSDL syntax and semantics, and generates error
messages for violations, indicating the cause and location.
inserts the generated model into the OptimalJ repository.
Figure 4: OptimalJs Web services Integration Model after the WSDL import
6
After importing a WSDL file, the Web service Integration Model is populated
and available (see figure 4). From there the Domain Model can be generated.
The advantage of creating a Domain Model out of the Integration Model is
that the business functions provided by the Web service are represented at the
domain-level view of the application. This includes the domain class model
and the domain service model. The Web service component definition is
copied to the domain service model. More than one domain service can be
generated from the Integration Model. Structural elements such as complex
and enumeration type definitions are copied to the domain class model. No
domain classes are generated (see figure 5).
Figure 5: Domain class model and domain service model derived from the Integration Model
After generating the Domain Model from the Web service Integration Model,
the Application Model can be generated (see figure 6). The Application
Model includes the EJB and Web models. From the domain service, OptimalJ
allows developers to generate a Session Bean and its related code. This Session
Bean is then used as a wrapper for the Web service client code. Optionally,
users can also generate the Web Model. This enables users to create a web-
based interface for providing data input and displaying the result of the call to
the Web service for testing purposes.
7
Figure 6: OptimalJs Application Model, which includes the EJB and Web models
The final step is to generate and compile source code from the Application
Model. The code generator uses the specifications in the EJB Model to
generate the appropriate code. Generating code from the EJB Model will
result in a Session Bean that is used as a wrapper, whose business methods
invoke the related methods of the Web service. The interface of this Session
Bean includes methods that reflect the operations as defined in the interface
description. Deployment descriptors are generated, based on the preferred EJB
server as selected in the OptimalJ System Settings.
The generated code includes bean classes, JSPs, the update object, deployment
descriptors and other code required to call the integrated component. The
generated Session Bean is used to invoke the generated connector (client)
code. The created Java classes provide a self-contained framework for
accessing the target Web service in a JAX-RPC compliant way. All the
mandatory JAX-RPC types are supported, including complex XSD types,
complex XSD types derived by extension, arrays, etc. Besides the mandatory
JAX-RPC types, support for occurrence constraints minOccurs and maxOccurs
for xsd:element is generated where applicable.
8
=== start generating code
generate java classes for EJBStructType Address
generate java classes for EJBStructType Phone
generate java classes for EJBEnumType StateType
generate java classes (EJB 2.0) for EJBSessionComponent AddressBook
generate generic deployment descriptor (EJB 2.0) for EJBModule ejb
generate Manifest file for EJBModule ejb
Generating a KeyGeneratorFactory for modelpackage.application.ejb.ejb
generate JBoss 3.0 deployment descriptors (EJB 2.0) for EJBModule ejb
Generating WebComponent AddressBook
Generating AddressBookAddEntryForm.java
Generating AddressBookAddEntryIntAreaCodeForm.java
Generating AddressBookGetAddressFromNameForm.java
Generating AddressBookGetAddressFromNameIntAreaCodeForm.java
Generating AppError.jsp
Generating Character Encoding Filter for web
Generating web deployment descriptor
Generating action mappings for web
Generating resource properties for web
Generating index.html
generate Manifest file for WEBModule web
Generating JBoss 3.0.x specific deployment descriptor for WEBModule web
Generating WSDL/XSD document(s) and java code for WS client module WSClientModule.
Creating a top-level WSDL document wsdlrepository_top.wsdl
Invoking an external WSDL-to-Java convertor for top-level WSDL file
D:\signatures_demo\app\modelpackage\integration\webservices\WSClientModule\wsdlrepository_top.wsdl.
Successfully finished generating code for WS client module WSClientModule.
Exporting the WSDLRepository modelpackage.integration.webservices.wsdlrepository into WSDL/XSD
document(s):
Creating a WSDL document wsdlrepository.wsdl
Successfully finished exporting the WSDLRepository modelpackage.integration.webservices.wsdlrepository into
WSDL/XSD document(s).
=== finished generating code
9
The following runtime services are available:
a) Support for HTTP and HTTPS transports, that is, support for SSL is
provided.
b) Support for participating in a session with a Web service endpoint
component in case the OptimalJ Session Bean has been marked stateful.
Note: this only makes sense if the targeted Web service has been deployed
with its scope set to Session.
c) Support for setting an upper bound on the duration of all request-
response remote calls to the methods of the Web service component made
by the business methods of the Session Bean.
d) Support for HTTP Basic Authentication.
e) Support for specifying HTTP/HTTPS proxy related settings as well as SSL
related settings when starting an EJB application server wherein the
Session Bean is going to be deployed.
f) Support for setting any Java system property when starting an EJB
application server wherein the Session Bean is going to be deployed.
g) Support for digital signatures as defined in the Web Services Security
specification (see next paragraph).
10
Web Services Security
Security is rarely an issue when Web services are used only internally. When
they are to be exposed externally it becomes a more serious issue. Starting
with release 3.1, OptimalJ supports the important new open standard Web
Services Security (WS-Security4) from the Organization for the Advancement
of Structured Information Standards (OASIS - http://www.oasis-open.org).
The WS-Security specification is seen as the key Web services standard, and is
the first such standard to support, integrate and unify multiple security models,
mechanisms and technologies. It is intended to allow a range of different
systems to interoperate in a platform- and language-neutral manner.
Web services use SOAP for XML messaging. As SOAP messages are sent
across the wire, they could be lost or modified. Securing these messages or,
more generally, securing business transactions on the web, is an important
topic. The WS-Security specification fundamentally provides a standard set of
SOAP extensions that can be used to implement both integrity and
confidentiality in Web services applications. Web services must be able to
authenticate users and message senders and protect transmitted data from
being modified by inappropriate parties. The following security requirements
must be addressed to ensure the safety of information exchange in general and
SOAP messages in particular.
4
http://www.oasis-open.org/committees/download.php/3281/WSS-SOAPMessageSecurity-17-082703-merged.pdf
11
In OptimalJ, Authentication and Authorization are supported in the form of
HTTP Basic Authentication5 and servlet-based authorization, where OptimalJ
generates the necessary bits and pieces. The next sections describe how
OptimalJ supports and implements Web Services Security.
Digital signatures
To allow a digital documents integrity to be verified, a mathematical hash
function (Secure Hashing Algoritm; SHA) is applied to the bits that make up
the document. The resulting number is called the message digest. It has the
property that if the document is altered, applying the same hash function
would result in a different message digest. The message digest is sent along
with the document so that the recipient can recalculate the message digest
from the document and compare it with the digest received with the
document. If the digests are the same, then the message sent and the message
received are exactly the same.
Message digests alone are not a complete solution for ensuring that a
document has not been modified. Someone might intercept a message and its
digest, modify the message, recalculate a new digest, and send both on to the
recipient. This is where the second cryptographic technique comes in, digital
signatures. A digital signature is the encryption of the message digest based on
public key cryptography.
5
HTTP Authentication entails sending user names and passwords encoded as Base64 without ciphering them. It is strongly recommended to
use HTTP basic Authentication in combination with the Secure Socket Layer (SSL). Enabling SSL is a matter of making the Web server
listen on a secure port.
12
Certificates
For signature verification to be meaningful, the verifier must have confidence
that the public key does actually belong to the sender. Otherwise someone
could claim to be the sender, presenting a different public key instead of the
real one.
In OptimalJ, both the signing and the verifying part use X509 Certificates
(versions 1 through 3) as a means of communicating/obtaining public keys to
be used in verifying. X509 is described by WS-Security and includes extensible
ways to describe the characteristics of the credentials included with a message.
Since an X509 Certificate maps a public key to the key owners identity, it is
of paramount importance that the verifier make sure that the certificate is
valid: i.e., its owner identity is known or can be testified to by a Certificate
Authority like Verisign (http://www.verisign.com/) or Thawte
(http://www.thawte.com/) prior to verifying the message with the certificates
public key. For testing purposes and simple scenarios, one can use the JDKs
keytool utility6 for the generation of private keys and certificates too. In this
respect, the capabilities of keytool are somewhat limited in that it always
generates self-signed X509 Version 1 certificates, which offer very little
authenticity.
6
http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html
7
Java keystore is a secure storage for private keys and certificate chains
13
Digital signatures - signing
The senders private key is used to encrypt the message digest. This is termed
the digital signature. Since the private key of a person is involved, the
digital signature is unique to that individual. This establishes the identity of
the sender (signer). This signature is then bound to the message and sent
along with the document or the transaction. The public key of the individual
is also sent.
14
Digital signatures - verification
When an individual receives a signed document, the verification process is
initiated. The public key of the sender is used to decrypt the digital signature
and retrieve the message digest. The hash algorithm is applied again to the
digital contents to generate another message digest. These two message digests
are compared, and, if they match, verification is successful. If there were any
changes in the digital contents, the resultant message digest would differ from
the original one and the verification would fail.
When the verifying properties are specified, they can be bound to any Web
services component that is available in the Web service Integration Model.
The verifying properties are generated into the deployment descriptor. By
default, the verifying part always ensures that only those requests are processed
whose whole SOAP bodies are signed. If only a portion of the body is signed,
the verifier rejects the request with a SOAP fault being reported back to the
sender. The verifying part can be configured to accept not-signed SOAP
envelopes, in which case a normal not-signed message is simply passed on to
the implementing class. In most cases this should be avoided.
15
Summary
Compuware products
and professional services
OptimalJ enables users to create Web services (provision) from a high-level
delivering quality business model, hiding the complexity by generating all the J2EE
applications administrative code. Developers and designers have more time to focus on the
real added value of the Web service, i.e., fully focus on the implementation of
Compuware is a leading global the business logic. Additionally, OptimalJ enables users to call an external
provider of software products and Web service (consumption) just based on importing its WSDL file. Based on
professional services which IT this information OptimalJ generates the necessary components to invoke the
organizations use to develop, Web service, taking the complexity away.
integrate, test and manage the
performance of the applications OptimalJ minimizes security risks by implementing secure Web services based
that drive their businesses. Our on the OASIS standard. OptimalJ supports all mandatory and recommended
software products help optimize algorithms for digesting, signing and verifying as specified in the Web Services
every step in the application life Security and XML-Signature Syntax and Processing8 documents. By its model-
cyclefrom defining requirements driven nature, OptimalJ hides the Web Services Security complexity by
to supporting production service deriving all the necessary components from the models.
levelsfor web, distributed and
mainframe platforms. Our services
professionals work at customer
sites around the world, sharing
their real-world perspective and
experience to deliver an
integrated, reliable solution.
8
http://www.w3.org/TR/2002/REC-xmldsig-core-20020212
1/04