Building Web Services with .

NET

Nigel Watson (nigelwat@microsoft.com) Academic Developer Relations Developer and Platform Strategy Group Microsoft PTY, Melbourne

Agenda
• Building the Programmable Web • Web Services in .NET • Furthering standards: GXA • Summary

.NET Vision
Bank Ski Lodge

Airline

Ski Hire Gear

Building the Programmable Web
So… What is a Web Service?
• • • •

A remote procedure call technology based on open standards A way to connect disparate applications on disparate platforms using open standards A way to automate application to application integration using open standards A way to expose application functionality using open standards OPEN STANDARDS ARE KEY TO WEB SERVICES

Web applications today...

HTML HTML

L M T H

L L M M HT HT

Presentation tier BusLogic tier OS/Data tier

The Web Services protocol stack
Founded on industry standard protocols SOAP used to call methods on other systems using XML over HTTP WSDL used to describe a Web Service’s interface (i.e. methods available, parameters, return values etc.) UDDI is a directory that can be used to programmatically search for a Web Service

XML and HTTP SOAP

Simple Object Access Protocol

Web Services Description Language

WSDL

Universal Description, Discovery and Integration

UDDI

Next generation web applications…
Services X ML Smarter Clients
XML

Applications Become Other Programmable Web Services Public Web
Presentation Presentation tier tier BusLogic tier OS/Data tier
L XM
XML

Services

.NET Services Internal Services

Standard L HTM Browsers

XML

XM ML Smarter L Servers X DevicesIndustry Standard Protocols Data, Hosts (HTTP, XML, SOAP, WSDL, UDDI) Richer, More Applications Leverag roductive User Globally-Available Experience Federated Web Servic

Standards adherence is crucial
Web services will not reach their full potential without vendor interoperability…

W3C
• Committee overseeing the development and adoption of Internet standards

WS-I
• Industry initiative to promote vendor Web Services interoperability • Over 150 participants, including Microsoft, IBM, Oracle, SAP, Sun… • See www.ws-i.org for more information OASIS
• Involved in WS-Security standardisation process

From standards to implementation
• .NET provides an implementation of the Web

Services technology stack. • Other vendors have similar libraries
• • • • IONA – Orbix E2A Web Services IBM – WSTK for WebSphere (Now the ETTK) BEA – Integrated into WebLogic 8.1 appserver Open source/Freeware
• AXIS (Apache) • Glue • Etc…

Agenda
• Building the Programmable Web • .NET and Web Services • Furthering standards: GXA • Summary

.NET and Web Services
• ASP.NET Architecture • Creating and consuming Web Services • Watching SOAP Messages • Adding meta-data to your Web Service

ASP.NET Web Services Architecture
SOAP Requests

SOAP Responses Client Code ISAPI Ext Platform OS IIS

ASP.NET Web Service [WebMethod] Public string blah() {…} ASP.NET Worker Process Common Language Runtime

O/S (W2K, XP, WS2K3)

ASP.NET – Server Side
• To create a web service: • Create a new project in VS.NET • Add a Web Service class • Add methods to the class, decorate with [WebMethod] attribute
[WebService] Public Class Foo { [WebMethod] public string Hello( string strName) { … } } …

ASP.NET – Client Side
• To consume a web service: • Add a web reference to the web service to your project • This adds a Web Service proxy class to your project • Instantiate an instance of the proxy class and begin calling methods on it.
… localhost.Foo ws = new localhost.Foo(); string result = ws.Hello(); …

Demo – Create and Consume a simple Web Service

demo

Drilling into SOAP Messages
<s:Envelope xmlns:s=“http://www.w3.org/2001/09/soap-envelope”> <s:Header> <c:alertcontrol xmlns:c=“http://example.org/alctl”> <c:priority>1</c:priority> <c:expires>2001-10-25T14:00:00</c:expires> </c:alertcontrol> </s:Header> <s:Body> <m:alert xmlns:m=“http://example.org/alert”> <m:msg>Pick up Mary at school at 2pm</m:msg> </m:alert> </s:Body> </s:Envelope>

Demo – Use proxyTrace to watch SOAP messages

demo

Adding meta-data to your service
• You can add useful information to your Web

Service’s browse page with attribute parameters: • This information also appears in the Web Service’s WSDL description
[WebService(Description=“Foo Service”, NameSpace=“http…”)] Public Class Foo { [WebMethod(Description=“Hello method”)] public string Hello( string strName) { … } … }

Demo – Adding meta-data to your Web Service

demo

Adding state to your Web Service
• By default, state is not supported in Web

Service methods. • Can overide by setting the EnableSession property of [WebMethod] to true • Session[] will be available from the method • Can use normal ASP.NET session features
[WebMethod(EnableSession=True)] public string Hello( string strName) { } … Session[“blah”] = “blahblahblah”

Adding state to your Web Service
• ASP.NET uses cookies to keep track of

sessions • Default client proxy does not know about cookies – need to add a container for them.
… // Form init code ws = new localhost.Foo(); ws.CookieContainer = new System.Net.CookieContainer() … string result = ws.Hello(); …

Demo – Adding state to your Web Service

demo

Using IIS to secure WS’s
• Web Services in ASP.NET can use IIS

authentication (as well as SSL) • Simple, but:
• Ties you to IIS for authentication • Not an open approach

• Quickest approach for securing Web

Services when you’ve got control over both ends of the equation…

IIS Security
Client
SOAP HTTP Request

IIS
SOAP Message

ASP.NET WS

• Can use any of IIS’s authentication methods…

IIS Steps: Server
• Create a group for access control • Use role-based security checks in your Web

Service code (checking that group) • Use inetmgr to turn off anonymous access to that Web Service

IIS Steps: Client
• Add Credentials to the Web Service Proxy

instance:
Using System.Net; … // Form init code ws = new localhost.Foo(); ws.Credentials = CredentialCache.DefaultCredentials; …

Demo – Securing a Web Service using IIS/ASP.NET

demo

Agenda
• Building the Programmable Web • Web Services in .NET • Furthering standards: GXA • Summary

There are still some gaps to fill…
End-to-end security including authentication, authorization, message integrity and encryption Ability to dynamically configure message routing paths for scalability and fault tolerance End-to-end guarantee of message delivery with semantics (at-leastonce, at-most-once, exactly-once) Ability to transact across companies and provide compensation semantics Security

Routing Reliable Messaging

Transactions

Global XML Web Services Architecture - GXA
Transactions Reliable Messaging …

Referral Routing

Security License …

Directory Inspection Description

GXA Design Principles
• • •

General-purpose
• Agnostic to application domain

Standards-based
• Multi-vendor interoperation critical

Federated
• No central point of administration, control or failure

Modular
• Factored to stand alone or work together

General-Purpose

Universal communications
• • Across machine Across process

Application category neutral
• • • • Enterprise application integration Business-to-business Business-to-consumer Peer-to-peer

Flexible communications
• • • • Extensible headers Extensible body Extensible communication topology Transport protocol neutral

Platform neutral
• • • • Devices Desktops Clusters Datacenters

Standards-Based

We are committed to…
• Publishing GXA specifications • Working with partners to refine specifications • Working with partners, customers, and standards bodies for broad adoption
WS-Security submitted to OASIS • WS-I likely to profile security and other functionality

Federated
• • • •

Fully distributed Builds upon DNS and IP Strong affinity towards hierarchical URI Crosses organization and trust domains
• Can be inspected by firewalls • Can interoperate with Kerberos and PKI

Does not require centralized servers or administration

Modular
• • • • •

GXA framework layered on SOAP/WSDL extensibility hooks GXA surfaced as composable headers for SOAP messages GXA specifications are highly factored
• Often coalesced as they evolve

GXA specifications are combined to provide endto-end capabilities GXA protocols augment problem domain-specific protocols (e.g., banking)

Modular: Example
SOAP Message
Routing
<?xml version="1.0" encoding="utf-8"?> <S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <S:Header> <m:path xmlns:m="http://schemas.xmlsoap.org/rp"> <m:action>http://tickers-r-us.org/getQuote</m:action> <m:to>soap://tickers-r-us.org/stocks</m:to> <m:from>mailto:johnsmith@isps-r-us.com</m:from> <m:id>uuid:84b9f5d0-33fb-4a81-b02b-5b760641c1d6</m:id> </m:path> <wssec:Security xmlns:wssec="http://schemas.xmlsoap.org/ws/2002/04/secext"> <wssec:BinarySecurityToken ValueType="wssec:X509v3" EncodingType=“wssec:Base64Binary"> dWJzY3JpYmVyLVBlc…..eFw0wMTEwMTAwMD </wssec:BinarySecurityToken> </wssec:Security> </S:Header> <S:Body> <app:TrafficStatus xmlns:app="http://highwaymon.org/payloads"> <road>520W</road><speed>3MPH</speed> </app:TrafficStatus> </S:Body> </S:Envelope>

Security

WS-Security 1.0

A specification for proposed SOAP extensions to be used when building secure Web services.
• Supercedes the following specifications
SOAP-SEC • Microsoft’s WS-Security, WS-License • IBM’s security token and encryption

• Dependent upon XML DIGSIG, XML Encryption, XML Schema, SOAP… • Defined schema

WS-Security 1.0

Protection
• Integrity = XML Signature + Security Tokens • Confidentiality = XML Encryption + Security Tokens

Non-Goals of WS-Security
• • • • •

Establishing a security context that requires multiple exchanges Key exchange and derived keys How trust is established Policy Enforcement Provisioning of certificates
• XKMS

WS-Security 1.0

We have some more work to do…
WS-Secure Conversation

WS-Federation

WS-Authorization

WS-Policy

WS-Trust WS-Security SOAP

WS-Privacy

Today

Refer to Security Roadmap – http://msdn.microsoft.com/webservices

Summary
• Reviewed Web Services protocol stack • Looked at how you can leverage Web

Services from .Net • Looked briefly at how web services will evolve over time

Further information
• • • • • •

http://msdn.microsoft.com http://gotdotnet.com Developmentor mailing list MSDN Updates (monthly)
• http://msdn.microsoft.com/flash

Melbourne .NET User’s Group (http://www.mdnug.org) Australian Developers.NETwork (http://www.ausdev.net)

© 2001 Microsoft Corporation. All rights reserved.

Sign up to vote on this title
UsefulNot useful