An efficient Service Oriented Architecture (SOA) implementation distributes as much processing as possible to trusted appliances in the nearer tiers, where intelligent content-based routing decisions made by highly efficient processors can also perform caching, transformations, and other functions. This article will present a detailed example of a "Las Vegas Casino" that has been implemented as a set of distributed Web Services and provide a step-by-step guide for delivering these services. The implementation of this virtual casino extends from the farthest tier of the central database engine all the way out to client, where acceleration has been transparently injected into the browser for an optimal user experience.

The Las Vegas Casino manifests itself to the user as an Asynchronous Java and XML (AJAX) application, with a rich GUI of slot machines, roulette wheels, Texas hold'em, and of course blackjack. Each of these is supported by a highly scalable set of Web Services. The XML traffic between the client and data center is mostly Simple Object Access Protocol (SOAP) request/responses transported over an optimized HTTP/S protocol with unique features such as bi-directional compression, "TurboStreaming," and XML document differencing. The XML "front gate" that is situated at the nearest tier of the data center analyzes the traffic and classifies the user based on an authorization realm upon which sophisticated decisions can be made based on application policies.

The application policies control how XML content processing should be performed. Foremost is protecting the virtual casino from malicious XML-borne threats and informing the casino bosses that threats have been encountered and averted. Incoming XML requests are also validated to ensure that they conform to one of the virtual casino's schemas. Each request is then analyzed against a set of XPath statements that govern how the request should be transformed and then a different set of XPath statements that determine which enterprise application server in the farther tiers should handle the now validated and transformed request. When possible a response is handled from a cache located at a nearer tier.

This article will also highlight the performance measurement techniques employed to measure the response time of the various services of the virtual casino. Service level agreements are established and alerts are sent out when response time falls below the compliance threshold.

Backdrop
The patrons of the virtual casino enjoy a robust graphical user interface that is presented by their browser. These users find comfort in the padlock shown on the status bar that proves that all traffic is flowing over an encrypted tunnel. The rich user interface seems to effortlessly convey the sights and sounds of a casino atmosphere along with a vivid portrayal of their account status. Back at the data center, the database servers, which are the ultimate source of this presentation, operate smoothly and securely processing a steady flow of transactions. The owners of this enterprise have designed a business model where a small but fixed percentage of all wagers flow directly to the bottom line. This lucrative business is the result of hiring top-notch service-oriented architects who understood how to make effective use of optimization appliances to deliver an exciting product to the customers in a completely secure fashion.

The enterprise architects were tasked with meeting several important objectives:

• The data center had to be completely safe from malicious attacks.
• Customer confidentiality had to be protected.
• The customer experience had to be vividly rich and minimize consumption of I/O bandwidth.
• The system had to scale and be impervious to single points of failure.
• Response time to customer transactions had to appear as instantaneous as it would in a real casino.

To meet the above objectives, the architects decided to implement a set of Web Services, each with a very clearly defined interface. The following services were implemented:

• Account Registration - Establish user ID, password, credit card.
• Account crediting/debiting - The other "gaming" services interface with this service as games are won or lost.
• Gaming Services
  - BlackJack
  - Slots
  - Texas Hold'em
  - Roulette

An AJAX paradigm was used to develop the rich graphical user interface. This model allows graphical objects to be manipulated by the client processor while transaction updates are communicated to the data center by posting SOAP requests.

The back-end database servers and Web Service processors are insulated from threats by employing an Optimization Appliance (OA). The judicious use of XML content processing appliances was the key to a successful build-out of this SOA. The OA takes care of the following:

• User authentication
• SSL encryption
• WAN optimization
• XML threat protection
• XML content-based routing, transformation, and schema validation

The enterprise architects were thrilled that the optimization appliance's "Acceleration on Demand" (AOD) feature would inject bi-directional optimization of all the AJAX/SOAP traffic without impacting the development efforts of the AJAX application. AJAX programming is a tough enough field; by transparently injecting AOD into the application the AJAX programmers were free to concentrate on object-oriented development, knowing that WAN optimization will be taken care of by AOD.

Now that the backdrop has been painted, the remainder of this article will discuss the steps taken to integrate scalable optimization appliance into the SOA implementation.

Designating the XML Front Gate
The first challenge is to ensure that all of the external HTTP traffic is directed to the optimization appliance. This is accomplished by having the DNS of the server portion of the URL resolve to the OA. The OA typically has "external" (public) ports that are protected with intrusion detection and other basic Internet attacks and "internal" (private) ports that interface to the other services of the SOA implementation. The software that runs on the OA functions as an important insulator between the wilds of the Internet and the well-behaved Web Services of the data center.

Intelligent Port Definitions
The OA is configured to securely insulate the data center by only listening for incoming TCP sessions on predefined port definitions that associate the external IP address/port pairs with SSL encryption certificates. The SSL encryption certificates are text documents that have been "signed" by a certificate authority and provide credentials to the end user that they are securely connected. The certificate documents are uploaded into the OA and stored into a tamper-proof key store. In the case of the "virtual casino," only one SSL encryption certificate document is needed because all SOAP requests are directed to the same URL. The certificate makes it possible to conduct SSL sessions between the OA and the customers, this SSL traffic is terminated at the OA and the OA in turn communicates to the back-end servers over unencrypted channels.

Signing In
All new TCP connections are expected to be HTTP/S and any other protocol is rejected. After completing the HTTP/S, the AJAX application is retrieved by the browser. The first operation of this application is to "sign-in" with the casino's account registration Web Service. The sign-in operation generates SOAP requests that ultimately result in a "cookie" being obtained from the accounting service. The OA insures that without this dynamically generated cookie, which is cryptographically impossible to guess, no other operations are possible to the other casino Web Services.

The sign-in process also entails the assignment of the user to an authorization realm that's defined on the OA. When subsequent SOAP requests are received by the OA, it bases application policy decisions (such as preferential treatment for a user in the "high-roller" group) on the authorization realm that's assigned.

Acceleration Injection
A very interesting phenomenon occurs when the AJAX application is downloaded. The OA "injects" a powerful ActiveX control called "AOD" into the application that extends the optimization capabilities of the OA all the way out to the client. All subsequent traffic between the OA and AJAX application flows through this optimization engine. This engine does bi-directional compression and TCP session aggregation, which is important because it lets the AJAX application perform its "object-oriented" functions without generating costly new SSL session establishments. This AOD feature is integral to meeting the objective of limiting the WAN bandwidth consumption of the application.

Threat Protection
Now that we've nailed the delivery of an AOD-injected AJAX application we can move on to configuring the XML threat management capabilities of the OA. Fortunately this is easy to do. A simple checkbox (on the default) causes all inbound XML SOAP requests to be screened against a new breed of XML-based attacks. These threats operate on a higher level than the attacks of yesteryear (e.g., SYN-FLOOD), which is effectively defended with intrusion detection devices that operate at the IP packet level. The virtual casino's OA is hardware-assisted by Tarari's unique "XTM" XML threat protection engine. Tarari's patent-pending XML anomaly detection "learns" to recognize threat-bearing messages. The Tarari XTM recognizes dozens of well-known XML XDoS attacks like recursive payload, attribute explosion, and dangling XML, and can also flag traffic that represents previously unknown threats - often on the first message.