Welcome!

Microservices Expo Authors: Liz McMillan, Pat Romanski, Carmen Gonzalez, Elizabeth White, Jason Bloomberg

Related Topics: Microservices Expo, Machine Learning

Microservices Expo: Article

Web Services and SOA

Practical Interoperability Approaches, WS-Security and WS-Addressing Explained

After receiving the request, the BPEL process sends the response message to the WCF service specified within the ReplyTo header. The request and response messages are correlated using the RelatesTo header. On the client side, the WCF service operation includes the following code in order to receive the WS-Addressing v1.0 headers:

UniqueId relatesTo = OperationContext.Current.IncomingMessageHeaders.RelatesTo;

Using these steps, messaging solutions can interoperate even with different versions of WS-Addressing.

BPEL and WS-Security Interoperability Challenges
In the second part of this article, we focus on WS-Security interoperability, because it is another key specification in any WS-* implementation. The main goal behind WS-Security is to enhance SOAP messaging by providing message integrity, confidentiality, and authentication. WS-Security also serves as the base standard to other WS-* protocols, such as WS-SecureConversation, WS-Trust, and WS-Federation. The key function of WS-Security is to provide a general purpose mechanism to associate security tokens with SOAP messages. In this scenario, security-related information is carried in the message itself, instead of in external artifacts. This is known as message-based security and can be used in conjunction with a transport layer security such as SSL.

Message Security vs. Transport Security
SSL has proven its effectiveness in securing resources through the internet. When dealing with Web services, however, SSL is a very coarse-grained tool and has several specific limitations:

  • SSL is strictly tied to TCP-based transports such as HTTP. For Web services that use non-TCP transports such as MSMQ or SMTP SSL, it is not a viable option.
  • SSL was designed for point-to-point communications. This makes it difficult to implement a routing scenario between Web services. In a routing scenario, the final receiver must be able to validate the original credentials. Extensibility using SSL becomes difficult to provide when those credentials are not stored in the message.
  • SSL protects the messages on the wire (between the endpoints) but does not provide protection for the message at the endpoints. This allows access to the whole message upon gaining access to one of the endpoints.
In regards to business process integration, the WS-BPEL standard recommends the use of WS-Security to ensure authorization, authentication, confidentiality, and integrity. The implicit vs. explicit mechanisms explored earlier are also applicable to WS-Security interoperability.

WS-Security Interoperability Example
WCF provides an up-to-date implementation of the WS-* security stack including WS-Security, WS-SecureConversation, WS-Trust, and WS-Federation, allowing developers to implement transport and message security scenarios. Specifically for WS-Security, WCF supports a number of token types, including UserName and Password.

The WS-Security UserNameToken profile provides a standards-based way to send user credentials, which enables applications and platforms to unify their approach. A message-based security approach moves credentials outside the actual operation and into SOAP headers, which makes it possible to alter authentication without touching the operation.

The example used in this article consists of a WCF service that is being invoked from a BPEL process. Before the first call is made, the BPEL process must authenticate to the WCF service using WS-Security and UserName and Password.

The code in Listing 4 shows the target WCF service.

The bindings and behaviors shown in Listing 5 enforce the use of UserName and Password for the authentication. Consider the sample code below, which shows a custom class that provides the UserName and Password validation:

public class MyUserNameValidator :UserNamePasswordValidator
{
    public override void Validate(string userName, string password)
    {
      if (null == userName || null == password)
      {
        throw new ArgumentNullException();
      }
      if (!(userName == "user1" && password == "password1"))
      {
        throw new SecurityTokenException ("Unknown Username or Incorrect Password");
      }
    }
}

Next we implement the BPEL process that invokes the WCF service. The first step is to create a BPEL partnerLink that represents the WCF service. Here is the partnerLink declaration.

<plnk:partnerLinkType name="ServiceSoap_PL">
    <plnk:role name="ServiceSoap_Role">
       <plnk:portType name="tns:MathService_ASPNetSoap"/>
    </plnk:role>
</plnk:partnerLinkType>

In the next step, we provide the required WS-Security headers as part of the <invoke> activity. Using bpelx:inputHeaderVariable (an extension to WS-BPEL standard) we can pass SOAP headers as part of the outgoing message. This is the primary way to send the SOAP-specific headers. The bpelx:inputHeaderVariable extension is specific to Oracle BPEL Process Manager, which also provides deployment descriptor properties (wsseHeaders, wsseUsername, wssePassword) to handle WS-Security headers implicitly.

Listing 6 highlights the code fragments dealing with WS-Security headers. Note especially the inputHeaderVariable that is passed along the invoke activity, as well as wsse:Security.

Running the BPEL process produces the SOAP message shown in Listing 7 when the WCF service is invoked. Pay close attention to the marked section.

This technique allows the creation of BPEL processes that can truly interoperate with WCF services by using WS-Security. The flexibility introduced by manipulating header variables in BPEL allows developers to create interoperability explicitly, when implicit means are not sufficient.

Conclusion
In this article we demonstrated how interoperability between Microsoft .NET WCF and WS-BPEL can be achieved by using explicit means.

SOA applications that require long-running business processes with security and messaging can be built quickly and easily with Web services as the underlying specifications. Web services promise heterogeneous interoperability, and while we anticipate implicit interoperability approaches to be sufficient in the near future, explicit capabilities are still needed in the short term. Such interoperability is real today, as shown by the examples in this article that use Microsoft WCF and Oracle BPEL Process Manager.

More Stories By Jesus Rodriguez

Jesus Rodriguez is a co-founder and CEO of KidoZen, an enterprise mobile-first platform as a service redefining the future of enterprise mobile solutions. He is also the co-founder to Tellago, an award-winning professional services firm focused on big enterprise software trends. Under his leadership, KidoZen and Tellago have been recognized as an innovator in the areas of enterprise software and solutions achieving important awards like the Inc 500, Stevie Awards’ American and International Business Awards.

A software scientist by background, Jesus is an internationally recognized speaker and author with contributions that include hundreds of articles and sessions at industry conferences. He serves as an advisor to several software companies such as Microsoft and Oracle, sits at the board of different technology companies. Jesus is a prolific blogger on all subjects related to software technology and entrepreneurship. You can gain valuable insight on business and software technology through his blogs at http://jrodthoughts.com and http://weblogs.asp.net/gsusx .

More Stories By Clemens Utschig

Clemens Utschig works within the Oracle SOA Product Management Team responsible for security aspects and cross product integration. Aside from technology, Clemens' focus is on project management and consulting aspects coming along with SOA implementations. As a native Austrian, Clemens' Oracle career started in Europe at the local consulting services branch—working with customers on J2EE and SOA projects, and founded the local Java community. He is a frequent speaker at conferences evangelizing either on technology or the human factor—two key aspects when introducing new concepts and shifts in corporate IT strategy.

More Stories By Heidi Buelow

Heidi Buelow is a product manager for the Oracle SOA Suite. She spent the last 10 years building business process management systems with a focus on service integration and interoperability of diverse systems. Heidi’s career developing service-oriented architecture started with the early services- and object-oriented transport and messaging stacks of Xerox PARC’s XNS networking protocols. Her recent experience includes the development of the BPMS platform and tools for very large SOA-based solutions, an example of which is the managed care system of one the largest managed healthcare companies in the United States.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


Microservices Articles
Modern software design has fundamentally changed how we manage applications, causing many to turn to containers as the new virtual machine for resource management. As container adoption grows beyond stateless applications to stateful workloads, the need for persistent storage is foundational - something customers routinely cite as a top pain point. In his session at @DevOpsSummit at 21st Cloud Expo, Bill Borsari, Head of Systems Engineering at Datera, explored how organizations can reap the bene...
"NetApp's vision is how we help organizations manage data - delivering the right data in the right place, in the right time, to the people who need it, and doing it agnostic to what the platform is," explained Josh Atwell, Developer Advocate for NetApp, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
The Jevons Paradox suggests that when technological advances increase efficiency of a resource, it results in an overall increase in consumption. Writing on the increased use of coal as a result of technological improvements, 19th-century economist William Stanley Jevons found that these improvements led to the development of new ways to utilize coal. In his session at 19th Cloud Expo, Mark Thiele, Chief Strategy Officer for Apcera, compared the Jevons Paradox to modern-day enterprise IT, examin...
In his session at 20th Cloud Expo, Mike Johnston, an infrastructure engineer at Supergiant.io, discussed how to use Kubernetes to set up a SaaS infrastructure for your business. Mike Johnston is an infrastructure engineer at Supergiant.io with over 12 years of experience designing, deploying, and maintaining server and workstation infrastructure at all scales. He has experience with brick and mortar data centers as well as cloud providers like Digital Ocean, Amazon Web Services, and Rackspace. H...
Skeuomorphism usually means retaining existing design cues in something new that doesn’t actually need them. However, the concept of skeuomorphism can be thought of as relating more broadly to applying existing patterns to new technologies that, in fact, cry out for new approaches. In his session at DevOps Summit, Gordon Haff, Senior Cloud Strategy Marketing and Evangelism Manager at Red Hat, will discuss why containers should be paired with new architectural practices such as microservices ra...
In his session at 20th Cloud Expo, Scott Davis, CTO of Embotics, discussed how automation can provide the dynamic management required to cost-effectively deliver microservices and container solutions at scale. He also discussed how flexible automation is the key to effectively bridging and seamlessly coordinating both IT and developer needs for component orchestration across disparate clouds – an increasingly important requirement at today’s multi-cloud enterprise.
The Software Defined Data Center (SDDC), which enables organizations to seamlessly run in a hybrid cloud model (public + private cloud), is here to stay. IDC estimates that the software-defined networking market will be valued at $3.7 billion by 2016. Security is a key component and benefit of the SDDC, and offers an opportunity to build security 'from the ground up' and weave it into the environment from day one. In his session at 16th Cloud Expo, Reuven Harrison, CTO and Co-Founder of Tufin, ...
DevOps is often described as a combination of technology and culture. Without both, DevOps isn't complete. However, applying the culture to outdated technology is a recipe for disaster; as response times grow and connections between teams are delayed by technology, the culture will die. A Nutanix Enterprise Cloud has many benefits that provide the needed base for a true DevOps paradigm. In their Day 3 Keynote at 20th Cloud Expo, Chris Brown, a Solutions Marketing Manager at Nutanix, and Mark Lav...
Many organizations are now looking to DevOps maturity models to gauge their DevOps adoption and compare their maturity to their peers. However, as enterprise organizations rush to adopt DevOps, moving past experimentation to embrace it at scale, they are in danger of falling into the trap that they have fallen into time and time again. Unfortunately, we've seen this movie before, and we know how it ends: badly.
TCP (Transmission Control Protocol) is a common and reliable transmission protocol on the Internet. TCP was introduced in the 70s by Stanford University for US Defense to establish connectivity between distributed systems to maintain a backup of defense information. At the time, TCP was introduced to communicate amongst a selected set of devices for a smaller dataset over shorter distances. As the Internet evolved, however, the number of applications and users, and the types of data accessed and...