from developer to production, promoting your webservices
DESCRIPTION
As given at UKOUG'08TRANSCRIPT
<Insert Picture Here>
From Developer to Production, Promoting your WebServicesGerard Davison : Senior Principal Software EngineerJDeveloper WebServices
The following is intended to outline our generalproduct direction. It is intended for informationpurposes only, and may not be incorporated into anycontract. It is not a commitment to deliver anymaterial, code, or functionality, and should not berelied upon in making purchasing decisions.The development, release, and timing of anyfeatures or functionality described for Oracle’sproducts remains at the sole discretion of Oracle.
<Insert Picture Here>
Presentation Agenda
• Introduction• Policies• Publishing Services• Consuming Services• Conclusion
<Insert Picture Here>
Introduction
IntroductionP is for promotion
• Make it easy to simplify deployments• Focus on JAX-WS but a lot is applicable to JAX-RPC
in WebLogic
Dev Test Production
IntroductionE is for endpoints
• Need to use different instances of a web service indifferent contexts– Versioning a different problem
• Mock services for development• “Real” services for production– Can alter real data– Can cost money per-transaction
IntroductionS is for security
• Web Service Security is like pick’n’mix– Likely to cause indigestion– Hard to move to a different shop once you’re started.
• Can hard to set up a dev / test / production env• Less productive• Policies are the key to making this easier
IntroductionDevelopment
ClientLoan
ApproverCreditRating
MockRating
IntroductionTesting
ClientLoan
ApproverCreditRating
MockRating
Secured
IntroductionProduction
ClientLoan
ApproverCreditRating
MockRating
Secured
<Insert Picture Here>
Policies Primer
PoliciesWS-Policy
• A description of how to communicate– Stuff that happens to the message after you have sent it
• A meta pointer for other WS-* standards• Cover a range of technologies– WS-Addressing– WS-Security– WS-ReliableMessaging– WS-TX
PoliciesWS-Policy - Some namespaces
• wsp:– http://schemas.xmlsoap.org/ws/2004/09/policy
• wsu:– http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
• sp:– http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
PoliciesWS-Policy - Normal Form
<wsp:Policy><wsp:ExactlyOne>
<wsp:All> <sp:SupportingTokens> <wsp:Policy> <sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/…">
<wsp:Policy> <sp:WssUsernameToken10/> </wsp:Policy> </sp:UsernameToken> </wsp:Policy> </sp:SupportingTokens> </wsp:All> </wsp:ExactlyOne></wsp:Policy>
PoliciesWS-Policy - Compact
<wsp:Policy> <sp:SupportingTokens> <wsp:Policy> <sp:UsernameToken sp:IncludeToken="http://docs.oasis-
open.org/…"> <wsp:Policy> <sp:WssUsernameToken10/> </wsp:Policy> </sp:UsernameToken> </wsp:Policy> </sp:SupportingTokens></wsp:Policy>
PoliciesWS-Policy - ID
<wsp:Policy name=“UserNameToken” wsu:id=“SP1” > <sp:SupportingTokens> <wsp:Policy> <sp:UsernameToken sp:IncludeToken="http://docs.oasis-
open.org/…"> <wsp:Policy> <sp:WssUsernameToken10/> </wsp:Policy> </sp:UsernameToken> </wsp:Policy> </sp:SupportingTokens></wsp:Policy>
PoliciesWS-Policy - Referenced From a WSDL
<wsdl:portType name=”CreditRating"
wsp:PolicyURIs="#SP1" >
<wsdl:operation>…</wsdl:operation>
</wsdl:binding>
PoliciesWS-Policy - Where does it get referenced
Input / Output / Fault /Message
Message Policy Subject
Binding.Operation /PortType.Operation
Operation Policy Subject
Port / Binding / PortTypeEndpoint Policy Subject
ServiceService Policy Subject
PoliciesWS-Policy
• Important for both publishing and consuming• Can be named• Can be managed at deploy time
<Insert Picture Here>
Publishing Services
PublishingWeblogic policies
• For JAX-WS only security policy at the moment– Use @Addressing for WS-Addressing policy
• For JAX-RPC also reliable messaging• @Policies(@Policy(uri=“policy:….”))• weblogic-webservices-policy.xml in WEB-INF / META-
INF
PublishingCentralized configuration
• KeyStores, etc… are configured at the server level• Allow you to assert rather than configure• Different configuration at each level:– Dev - no security– QA - security using internal certificates– Deploy - security using “gold” certificates
PublishingAnnotation to “standard” policies
@WebService@Policies(@Policy (uri=“policy:SomePolicy.xml”))public class Hello{ public String sayHello(String name) { return name; }}
PublishingDeployment descriptor
<webservice-policy-ref …>
<port-policy>HelloPort</port-policy>
<ws-policy>
<uri>policy:SomePolicy.xml</uri> <direction>both</direction>
</ws-policy>
</webservice-policy-ref>
PublishingDeployment Plan
• JSR - 88• Weblogic xml file not standard• Also can override individual files• The key to dealing with promotion• No tooling in JDeveloper yet
<Insert Picture Here>
Publishing Demo
PublishingSummary
• A mix of deployment and environmental artifacts• Security declaratively added at class level• But the configuration done at domain level
<Insert Picture Here>
Consuming Services
ConsumingEndpoints
• Abstract WSDL defines the service• Concrete WSDL tell you where to find it.• You often want to change location– Promotion– Or Multiple deployments in different environments
• But you want a static interface to program against
ConsumingChanging the endpoint
public void doSomething(…){ CreditRating_Service crs = … CreditRating cr = crs.getCreditRatingPort();
((BindingProvider)cr).getRequestContext() .put( BindingProvider.ENDPOINT_ADDRESS_PROPERTY, “http://…………”);}
ConsumingWSDLS
• WSDLs also contain policies• Won’t be read if you just change the endpoint• Can create a new service object– Expensive
• Better to use injection in EE case
ConsumingInjection and indirection
@WebServiceRef(name = “CreditRatingService”)CreditRating creditRatingPort;
<service-ref> <service-ref-name>CreditRatingService</service-
ref-name> <service-interface>
com.somecreditrating.xmlns.rating.CreditRating_Service</service-interface>
</service-ref>
<Insert Picture Here>
Consuming Demo
ConsumingSecurity Tokens
• Simple .properties file in this example• Should be using a Keystore– JCEKS rather than default JKS to store SecretKey instances– Still need to hard code a password but less open to brute
force searching
• Possibly query WebLogic stores for environmentalconfiguration– I’m still learning the stack
ConsumingSecurity Tokens : Storing
KeyStore ks = KeyStore.getInstance("JCEKS"); ks.load(null, keyStorePassword); PasswordProtection keyStorePP = new
PasswordProtection(keyStorePassword);
SecretKeyFactory factory =SecretKeyFactory.getInstance("PBE");
SecretKey generatedSecret = factory.generateSecret(new PBEKeySpec( password));
ks.setEntry(key, new SecretKeyEntry( generatedSecret), keyStorePP);
ls.save(…, keyStorePassword);
ConsumingSecurity Tokens : Retrieving
KeyStore ks = KeyStore.getInstance("JCEKS");
ks.load(…, keyStorePassword);
SecretKeyFactory factory =SecretKeyFactory.getInstance("PBE");
SecretKeyEntry ske = (SecretKeyEntry)ks.getEntry(key, keyStorePP);
PBEKeySpec keySpec = (PBEKeySpec)factory.getKeySpec( ske.getSecretKey(), PBEKeySpec.class);
char[] password = keySpec.getPassword();
ConsumingAlternatives : Catalog file
@WebServiceRef(type = CreditRating_Service.class)CreditRating creditRatingPort;
In WEB-INF or META-INF java-ws-catalog.xml
<catalogxmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog" prefer=" system">
<system systemId=“CreditRating.wsdl" uri=“ExternalCreditRating.wsdl"/></catalog>
ConsumingAlternatives : UDDI
• Lookup service by UUID– UDDI 2.0 repository built in to weblogic– Just edit uddi.properties to enable
• BPEL has support for this directly• For JAX-WS write your own code to lookup WSDL• Some BPEL services do WSDL indirection– Only changes on the BPEL server
ConsumingAlternatives: DI, Spring
@AuthenticatedService(“CreditRatingService”)CreditRating creditRatingPort;
// or
<bean id=“CreditRatingService”>
…
</bean
ConsumingAlternatives: Aspects
@WebServiceRef(type = CreditRating_Service.class)@InjectionPoint(key = “Name”)CreditRating creditRatingPort;//public aspect InjectionProvider{ pointcut injectionPoint(Object target) : set(@WebServiceRef @InjectionPoint * *) && target(target)
after injectionPoint(Object target) { BindingProvider = target; … }}
<Insert Picture Here>
Conclusion
Conclusion
• Understand and use policies
• Design from the start with promotion in mind– EE– DI– Home grown
• Managing security tokens is finicky– Store passwords in wallet or keystore
For More Information
• JDeveloper– http://www.oracle.com/technology/products/jdev/index.html
• Weblogic– http://www.oracle.com/technology/products/weblogic/index.ht
ml
• Your speaker– [email protected]• http://kingsfleet.blogspot.com/
The preceding is intended to outline our generalproduct direction. It is intended for informationpurposes only, and may not be incorporated into anycontract. It is not a commitment to deliver anymaterial, code, or functionality, and should not berelied upon in making purchasing decisions.The development, release, and timing of anyfeatures or functionality described for Oracle’sproducts remains at the sole discretion of Oracle.
Spacer slide