Developing java web services: Architecting and developing secure web services using java

oration and e-Commerce Services IMAP, POP, S/MIME, SMS, Java Mail, etc. J2EE NetBeans, UML, BPSS, WSDL, UDDI, CPP/A, ebXML Reg/Rep, etc. Web Services Identity and Policy LDAP, Liberty, SAML, XML-DSIG, XKMS, XML Encrypt, Kerberos, ebXML Reg/ Rep, UDDI, PKCS, PKIK, WBEM, XACML, X.509, JCA/JCE, P3P, JAAS, etc. Base Platform UNIX, NFS, FTP, DHCP, TCP, IPv6, IPv4, IPSec, GSS-API, SCSI, Fiber Channel, etc. Primary source: Sun ONE Architecture Guide - J2ME - RSS - WML - SyncML - RDF - cHTML/XHTML - voiceXML - WSRP - WSIA - JavaPortlet Specification, etc. - UDDI - ebXML - JMS - J2EE Connector Architecture - JDBC - SQL - EDI SOAP, UDDI, WSDL, JAX-RPC, JAXM, JAXR, XML Schema, SAX/DOM, JAX-P, ebXML Messaging Service, etc. 726 Chapter 14 ■■ The Service Delivery layer again can be based on a plethora of standards and technologies in content transformation, formatting, and provisioning space mainly. Various standards such as XHTML, VoiceXML, and cHTML represent the formatted content as markup. Also, the J2ME technology platform can be used for provisioning services as Java applications on resource-constrained hand-held client devices. ■■ The Service Container layer is based on the industry standard J2EE platform. Also, Sun ONE supports standards for packaged applica- tion components such as Java Mail, S/MIME, POP, IMAP, and SMS in the areas of messaging and collaboration. The Sun ONE service container can support hosting Web services built upon the standard SOAP/UDDI/WSDL standards. In addition, it also can support hosting Web services built using ebXML technology specifications. ■■ Sun ONE architecture enables the integration with backend data, internal applications, as well partner services by leveraging stan- dards and technologies such as J2EE Connector Architecture, JMS, JDBC, SQL, EDI, UDDI, ebXML Registry/Repository, and so on. Now, let’s see which products can be used for providing infrastructure to the Sun ONE SoD. Sun ONE Product Stack: Integrated versus Integrate-able Currently, Sun ONE is an architecture that is based upon industry standards encompassing different areas of a SoD. As a result, although Sun ONE is the branded vision and architecture from Sun Microsystems, a Sun ONE imple- mentation can quite possibly be based upon products adhering to these stan- dards, from companies other than Sun Microsystems. This scenario presents what is known as an “Integrate-able” product stack wherein Sun ONE archi- tecture is realized using infrastructure products from different companies. For example, anyone can implement a Sun ONE SoD using Sun’s Sun ONE Portal server along with BEA’s WebLogic Application Server. An “Integrated” product stack to build and deploy SoD using all the Sun ONE branded products also is provided by Sun Microsystems. Sun thus presents alternatives for implementing Sun ONE architecture-based ser- vices. Figure 14.4 shows the Sun ONE integrated product stack consisting of the Sun ONE-branded products from Sun Microsystems. Introduction to Sun ONE 727 Figure 14.4 Sun ONE architecture: Integrated product stack. Now, Let’s briefly discuss the functionalities provided by some of the major Sun ONE products shown in Figure 14.4. Sun ONE Studio Sun ONE Studio comes in two flavors: Sun ONE Studio 4 (formerly Forte for Java) and Sun ONE Studio 7, Compiler Collection (formerly Forte Com- piler Collection). Sun ONE Studio 4 is an IDE for the Java language system. It is based on the open source NetBeans Tools platform. NetBeans has a modular design—it defines a framework that can be used to develop modules focusing on a specific set of functionalities (UML modeling or performance monitoring, for example), such that these modules can be plugged in on Service Creation, Assembly, and Deployment Service Delivery Service Integration Service Container Runtime environment and core services Messaging, Collaboration and e-Commerce Services S1 BuyerXPert, S1 BillerXpert, S1 Messaging Server, S1 Calendar Server Sun ONE Application Server Sun ONE Studio Web Services Identity and Policy Sun ONE Directory Server, Sun ONE Platform for Network Identity Base Platform Solaris Operating Environment, Sun Cluster, Sun StorEdge Primary source: Sun ONE Architecture Guide - Sun ONE Portal Server - Sun ONE Application Framework - Sun ONE Web Server Sun ONE Integration Platform - S1 Message Queue - S1 IS EAI Edition - S1 IS B2B Edition Sun ONE Web and Application Server 728 Chapter 14 any NetBeans-based IDE to use the specific functionality that it provides. Also, because NetBeans is written using Java technology, this IDE is avail- able on most of the platforms. Sun ONE Studio 4 is available in three edi- tions: Enterprise Edition, Community Edition, and Mobile Edition. Enterprise Edition. It provides an environment to develop J2EE 1.3 applications and deploy them to a wide range of application servers, such as Sun ONE’s Application Server, BEA’s WebLogic Application Server, or Oracle’s 9iAS. Also, Sun ONE Studio 4 provides built-in support for creating and deploying Web services based on WSDL, UDDI, and SOAP technologies. It also supports Web services creation using the Java APIs for XML. In order to develop J2EE 1.2 platform applications, Sun ONE Studio 3.0 also has been made available. Community Edition. It provides an IDE for developing stand-alone applications, Java applets, Java Bean components, and database aware 2-tier Web applications using JavaServer Pages/Servlets/JDBC technologies. Mobile Edition. It enables the development of J2ME MIDlet applica- tions. It provides a debugger for debugging the source code of the MIDlets. Also, the support for mounting emulators as well as SDKs from third parties has been made available. Sun ONE Studio 7, Compiler Collection provides tools for the rapid development of applications using the language systems of C, C++, and Fortran. This IDE is targeted toward ISVs and corporate developers involved heavily in maintaining and developing legacy applications. Solaris Operating Environment The newest version of Solaris Operating Environment is 9.0, which was launched by Sun in the summer of 2002. Interestingly, this new version of Solaris provides traditional OS functionality plus application and directory management services, that is, Sun bundles the Sun ONE Application Server and Sun ONE Directory Server along with Solaris 9.0. Apart from this, Solaris 9 OE also carries enhancements in the areas of scalability, avail- ability, manageability, and security. Also, the earlier versions of Solaris OE are available. Sun Cluster Sun Cluster software is designed to deliver high availability application services to a data center or an enterprise. It basically extends the Solaris operating environment to enable the use of its core services, such as Introduction to Sun ONE 729 devices, file systems, and networks in a seamless manner across a tightly coupled cluster. Thus, it helps increase the service levels of software. Sun ONE Portal Server The Sun ONE Portal Server (formerly iPlanet Portal Server) is a platform for deploying business-to-business, business-to-consumer, and business- to-employee portals. It provides the services required to build portal sites, including user and community management, personalization, content aggregation, integration, security, and search functionalities. It also pro- vides support for the access of services by wireless clients, secure remote access, and knowledge management. Sun ONE Web Server The product is an environment for deploying Web applications. It supports the JavaServer pages and Servlet technologies to generate personalized and dynamic content. The Sun ONE Web Server is bundled with the Sun ONE Directory Server to enable centralized server management and user authentication. Sun ONE Messaging Server Formerly known as iPlanet Messaging Server, this product provides a solu- tion for communication and messaging. For example, it enables the deploy- ment of unified communication services, bringing together telephone services with e-mail notification, faxing, paging, and other technologies. This provides a single entry point to retrieve voice mails, e-mails, address books, and calendar information. Sun ONE Directory Server The Sun ONE Directory Server (formerly iPlanet Directory Server) offers a central repository for storing and managing identity profiles, access privi- leges, and application and network resource information. Information stored in the Sun ONE Directory Server can be used to provide services such as authentication, authorization, access management, and single sign- on to the users. Sun ONE Identity Server Formerly known as iPlanet Directory Server Access Management Edition, the Sun ONE Identity Server is designed to help organizations manage 730 Chapter 14 secure access to Web-based resources. The product provides an identity system that includes access management, identity administration, and directory services. It supports the policy-driven administration of identities. Sun ONE Application Server Sun ONE Application Server (formerly known as iPlanet Application Server) provides a J2EE-based platform for the development, deployment, and management of middleware application components. The product provides a broad range of middleware services such as persistence, state management, load balancing, transaction management, security, and so forth, to the components hosted within. Sun ONE Integration Server Two editions of the Sun ONE Integration Server (formerly iPlanet Integra- tion Server) are available: Sun ONE Integration Server EAI Edition and Sun ONE Integration Server B2B edition. The former is focused on providing data- and process-based integration of internal applications using XML-based technologies such as SOAP, while the latter provides a platform for integrating with customers and trading partners of an organization. Sun ONE Message Queue This product (known formerly as iPlanet Message Queue) is message- oriented middleware (MOM) software. It implements the JMS specification. The integrated Sun ONE product stack from Sun is obviously quite complete, covering almost all areas of software infrastructure and tools. Further information on Sun ONE products can be obtained from wwws .sun.com/software/sunone/. Summary In this chapter, we introduced Sun ONE, Sun’s vision of a standards-based software, architecture, and platform for building Services on Demand (SoD). The main components of Sun ONE have been examined: The vision behind Sun ONE; delivering Services on Demand; Sun ONE architecture, service layers, standards, and technologies; and the Sun ONE Integrated Product Stack. Introduction to Sun ONE 731 733 Chapter 1 Java Remote Method Invocation (RMI) home Java RMI tutorial Java RMI over IIOP Java 2 Platform, Enterprise Edition (J2EE) Java Web services home Microsoft DCOM home www.microsoft.com/com/tech/DCOM.asp Object Management Group www.omg.org/ (OMG) homepage Web services zone home www.ibm.com/developerworks/webservices/ Further Reading Chapter 2 DSML homepage www.dsml.org ebXML homepage www.ebxml.org ebXML messaging www.ebxml.org/specs/index.htm specifications IBM WSFL page www.ibm.com/software/solutions/webservices /pdf/WSFL.pdf OASIS BTP activity home www.oasis-open.org/committees /business-transactions/ OASIS UDDI activity home www.oasis-open.org/cover/uddi.html Sun WSCI information page www.sun.com/software/xml W3C SOAP activity home www.w3.org/TR/SOAP/ W3C WSDL activity home www.w3.org/TR/wsdl12 W3C XML activity home www.w3.org/XML Chapter 3 Apache Axis information BEA Weblogic information www.bea.com J2EE design patterns /j2ee_patterns Server-side.com www.theserverside.com/patterns/index.jsp J2EE patterns SJC J2EE patterns /technicalArticles/J2EE/patterns/ Sun Java Web services blueprints Sun Java Web services pages W3C Web services www.w3.org/2002/ws/ activity home 734 Further Reading Chapter 4 Apache Axis project Apache SOAP project ebXML messaging service www.ebxml.org/specs/ebMS2.pdf specifications W3C SOAP 1.2 adjuncts www.w3.org/TR/soap12-part2/ W3C SOAP 1.2 messaging www.w3.org/TR/soap12-part1/ framework primer W3C SOAP 1.2 primer www.w3.org/TR/soap12-part0/ W3C XML protocol www.w3.org/2000/xp/Group/ activity home Chapter 5 UDDI community portal www.uddi.org UDDI cover pages www.oasis-open.org/cover/uddi.html UDDI, ebXML and XML/EDI (paper) www.xml.org/feature_articles/2000 _1107_miller.shtml UDDI and WS-inspection www-106.ibm.com/developerworks (paper) /webservices/library/ws-wsiluddi.html UDDI Web site (unofficial) www.uddicentral.com WSDL, compilation of low-level issues WSDL cover pages WSDL, a paper on using www-106.ibm.com/developerworks WSDL with SOAP /webservices/library/ws-soap/ WSDL tools, a compilation WSDL W3C note www.w3.org/TR/wsdl Yahoo group for discussion www.oasis-open.org/cover/uddi.html on UDDI issues Yahoo group for discussion on WSDL issues Further Reading 735 TE AM FL Y Team-Fly® Chapter 6 Microsoft SOAP www.mssoapinterop.org/ interoperability page SOAP builders interoperability www.xmethods.com/ilab/ homepage SOAP builders interoperability www.whitemesa.com/interop.htm results page Web service interoperability www.ws-i.org organization home Chapter 7 Document Object www.w3.org/DOM/ Model (DOM) home Java API for XML-based RPC (JAX-RPC) home Java API for XML Messaging (JAXM) home Java API for XML Processing (JAXP) home Java API for XML Registries (JAXR) home Java Architecture for XML Binding (JAXB) home Java technology and XML Java XML pack home /javaxmlpack.html JWSDP home /webservicespack.html SAX home www.saxproject.org/ 736 Further Reading Chapter 8 Java API for XML Processing (JAXP) home Java Architecture for XML Binding (JAXB) home The CASTOR project home Crimson JAXP parser home Document Type Definition www.w3.org/TR/html4/sgml/dtd.html (DTD) home Extensible Stylesheet www.w3.org/Style/XSL/ Language (XSL) home OASIS home www.oasis-open.org/ O’Reilly XML.com home www.xml.com World Wide Web Consortium www.w3c.org (W3C) home W3C XML schema home www.w3.org/XML/Schema Xalan Java transformer home Xerces2 Java parser home XML Industry portal home www.xml.org XML Path Language (XPATH) home www.w3.org/TR/xpath XSLT specification home www.w3.org/TR/xslt Chapter 9 JAXM home page JWSDP download information http:java.sun.com/webservices /webservicespack.html JWSDP tutorial /tutorial/index.html SAAJ home page Sun JAXM/SAAJ tutorial /tutorial/doc/JAXM.html Further Reading 737 Chapter 10 JAX-RPC home page http:java.sun.com/xml/jaxrpc/ JWSDP download information /webservicespack.html JWSDP tutorial /tutorial/index.html Sun JAX-RPC tutorial /tutorial/doc/JAXRPC.html Chapter 11 Yahoo group for discussion on JAXR issues /jaxr-discussion/ An article on JAXR at onjava.com /2002/02/27/uddi.html Articles on JAXR at Javaworld.com /jw-06-2002/jw-0614-jaxr.html /jw-05-2002/jw-0517-webservices.html An article on registration and discovery of Web services to /technicalArticles/WebServices/jaxrws/ UDDI and ebXML registries using JAXR Java.sun.com chat with JAXR spec. lead /community/chat/JavaLive/2002/jl0507.html JAXR cover pages Presentation on JAXR /webservices/pres/jaxr_v5.pdf 738 Further Reading Chapter 12 Java Web services developer pack home /webservicespack.html Java Web services tutorial home /tutorial/index.html Chapter 13 Liberty Alliance, official Web site www.projectlibert.org Securing Web services, www.line56.com/articles/default articles on issues .asp?ArticleID=3779 Sun Dot Com builder Web services best practices Web Services Security forum www.webservices.org/index.php/article at Webservices.org /archive/5/ Web services security forum www.xwss.org/index.jsp at XWSS Web services security at www.theserverside.com/resources/article Theserverside.com (paper) .jsp?l=Systinet-web-services-part-3 WS-security, paper introducing www-106.ibm.com/developerworks/library /ws-secure/ Chapter 14 Sun ONE architecture guide /arch/index.html Sun ONE official Web site Further Reading 739 741 Index A Abstract Syntax Notation One, 654 actor attribute, 127 addBusinessKey ( ) method, 265 addHeader ( ) method, 410 addName ( ) method, 261 function, 227, 252 AdminClient utility, 158 Advanced Encryption Standard, 625 element, 675 Ant utility, 62, 69, 77, 83, 89–92, 310 Apache Tomcat server, 147–149, 165–166, 172–173, 309 Xalan, 166 Xerces, 148, 166, 342, 345 See also Ant utility; Axis Applied Cryptography (Bruce Schneier), 622 architectural models, 6–15 arrays, 119, 121–123, 473 element, 704 data structure, 253 Association class, 501, 508–509 asymmetric algorithms, 626–628 asynchronous connections, 513–514 AttachmentPart object, 417, 422 attachments, SOAP, 109–110, 116–117 attribute assertion, SAML, 693–694 attributes, 320, 335–336 AuditableEvent instance, 502 authentication, 622–623 authentication assertion, SAML, 691–693 element, 679, 681 authorization, 143–144, 622 authorization assertion, SAML, 694–696 data structure, 250 Axis (Apache) downloading, 62, 147, 165 features, 62, 146–147 infrastructure and components, 150–154, 158–159 installing, 147–149 .NET client, building infrastructure, 279–280 overview, 278–279 service provider, 282–284 service requestor, 284–289 remote administration, 152 742 Index Axis (Apache) (continued) service requester setup, 98–99 Tomcat server, 147–149 Web service creation, example DAO classes, use of, 180–187 database creation, 167–173 infrastructure, building, 161–165 service provider, 165–173, 175–176, 191–194 service requestor, 173, 176–178, 194–196 testing services, 179–180, 196–198 XML Helper classes, use of, 187–191 Web services programming model, 155–160 WSDL tools, 215 B B2B. See business-to-business (B2B) communication Basic Encoding Rules, 654 element, 683 element, 685 BEA, 15, 61. See also WebLogic tag, 152 BEEP (Blocks Extensible Exchange Protocol), 137–138 binding, 302–304, 385, 395–396, 696. See also Java Architecture for XML Binding data structure, 241, 245, 252 element, 205, 210 data struc- ture, 230–231, 241, 242, 244, 251 Blocks Extensible Exchange Protocol (BEEP), 137–138 Body element, 112, 213, 228 browser, registry, 535–537 build.xml script, 69, 77–78, 83–84, 89–91 element, 682, 683 element, 685 BulkResponse interface, 518–521, 682 element, 682 element, 682 data structure, 244, 246, 251, 257 data structure, 229–230, 237, 239, 244, 251, 257 data structure, 235–237, 261 BusinessLifeCycleManager interface, 516, 519–521 data structure, 235–238, 261 BusinessQueryManager inter- face, 523–531 data struc- ture, 230, 238, 241, 244, 247, 251 business-to-business (B2B) commu- nication, 17, 19–21, 24–25, 30–32, 720 C Call object, 469 canonicalization, XML, 655–656 element, 652, 653, 661 capabilities, JAXR, 497 capability interfaces, 496 capability profiles, JAXR, 497–498 Cape Clear, 35 cascading style sheets, 364 CASTOR (Exolab), 384–385 categorization, 233–236 data structure, 232, 233, 236, 248 Certificate Authority, 630 characters ( ) method, 348 element, 641 Index 743 Classification interface, 501, 503–506, 527–528 ClassificationScheme inter- face, 500, 503–508 clientgen utility, 62, 92 element, 683 client/server application, 6–10 close ( ) method, 515 Collaborative Protocol Agreement, 722 comment, XML, 318 Common Language Runtime (CLR), 275, 276 Common Object Request Broker Architecture (CORBA), 6–10 communication models, 14–15, 50–51, 57 complexType, 335, 336 Component Object Model (COM), 13 Concept instances, 501, 505 conditional processing, 370 confidentiality, 622 confirmAssociation ( ) method, 509 ConnectionFactory object, 510–511, 513–514, 516 Connection interface, 496 connection management API, 510–516 connection pool, creating, 65 Content-ID reference, 116–117 Content-Location reference, 116–117 ControllerServlet, 593–595 CORBA. See Common Object Request Broker Architecture CPP/CPA, ebXML, 30, 49 createConnection ( ) method, 408, 513 createMessageFactory method, 415 createObject ( ) method, 517 Crimson parser, 339, 342, 345 cryptography, 621–628 D DAO classes, 70–78, 180–187, 280–283 database server, 6 database tables, 65–70 Data Encryption Standard, 625 DataHandler class, 475 data source, creating, 65 data structures, UDDI, 229–232 data types, 331, 333, 472–475 DCOM (Distributed Common Object Model), 13–14 DeclarativeQueryManager interface, 531–533 decryption, 643–650 DecryptionContext ( ) object, 648–650 DefaultHandler class, 344, 346–347, 349 element, 205, 208 function, 228, 252 function, 227, 251, 265 deleteObjects ( ) method, 518 <delete_publisherAsser- tions> function, 227 function, 228, 252 function, 228, 252 deployment descriptor, 88–89, 445–447, 461–462, 480–481 deprecateObjects ( ) method, 519 deserialization, 124, 152, 455, 472 destroy ( ) method, 458 detached signatures, 652 element, 113, 250, 410 digital certificate, 630 digital signature, 33, 142–143, 628–629, 667 744 Index Digital Signature Algorithm (DSA), 629 DII. See Dynamic Invocation Interface Directory Services Markup Language, 31–32 function, 228, 250 data structure, 238, 250, 251, 252 Distinguished Encoding Rules, 654 Distributed Common Object Model (DCOM), 13–14 distributed computing advantages, 5–6 challenges in, 16–17 core technologies, 6–14 definition, 4–5 importance, 5–6 J2EE role in, 17–19 service-oriented architecture, 22, 41 XML role in, 19 DLL. See Dynamic Link Library Document Builder, JAXP, 340 DocumentBuilderFactory class, 340, 342, 355–357 Document object, 357–359 Document Object Model (DOM), 300, 647, 648 Document Type Definition (DTD), 299, 325–329 doDecrypt ( ) method, 648 doDelete ( ) method, 265, 557–558 doEncrypt ( ) method, 645–648 doGET ( ) method, 702 doPublish ( ) method, 538 doQuery ( ) method, 551 doSearch ( ) method, 261 doSubmit ( ) method, 257 DSA (Digital Signature Algorithm), 629 element, 654 element, 143 element, 640, 671–674 element, 673 element, 143 element, 672, 680 element, 679, 684 element, 143 DTD. See Document Type Definition Dynamic Invocation Interface (DII), 469–471, 488–490, 578, 596 Dynamic Link Library (DLL), 277–278, 286–287 E electronic business Extensible Markup Language (ebXML) Business Process Specification Schema (BPSS), 721, 722 Collaborative Protocol Profile (CPP), 721–722 components of, 30, 49 consumer servlet, 443–445 development of, 719 Messaging Service, 720, 722 producer servlet, 439–443 Registry/Repository, 46, 721, 722 technical architecture, 719–723 Web services implementation, 53 WUST technologies, 45 element, XML attributes, 320, 335–336 collision, 323 complex, 332 declaration, 325 description, 319–320 explicit and implicit types, 333 local and global definitions, 334 multi-attribute, 327 Index 745 prefixes, use of, 323 XML Schema, 330–335 encodingStyle attribute, 111, 112, 213–214 EncryptDecrypt class, 637, 645, 648 element, 640 element, 640–641 encryption, 140–142, 622, 641–643, 644–650 EncryptionContext object, 646 element, 640 EncryptionTest class, 637–641 endDocument ( ) method, 347 endElement ( ) method, 348 Entegrity, 688 entities, XML, 320–322, 327–328 Entrust, 630, 668, 671 enumeration data type, 118–119 enveloped signatures, 651 Envelope element, 108, 110–111 enveloping signatures, 651 ErrorListener interface, 375 executeQuery ( ) method, 532 Exolab, 384–385 extensibility elements, 211 Extensible Markup Language. See XML ExtensibleObject interface, 502 Extensible Stylesheet Language. See XSL Extensible Stylesheet Language Transformation. See XSLT ExternalIdentifier instances, 501, 532 ExternalLink class, 501, 532 ExtrinsicObject class, 502 F FactoryConfigurationError message, 340, 345 FactoryConfiguration Exception message, 348, 359 faultactor element, 113 faultcode element, 113 element, 112–115, 209, 210 faultstring element, 113 FederatedConnection interface, 516, 534 federated Web services, 723 function, 227, 241–243 function, 227, 234, 261 FindBusiness object, 261 element, 236, 239, 241, 242, 248 FindQualifiers interface, 526–527 function, 227, 238–240 function, 227, 240–241 function, 227, 243–244 G generateSignature ( ) method, 662–663 GenerateValidateSignature class, 657, 661–663, 666 getAssertion ( ) method, 702 function, 253 get_authToken method, 228, 250, 257, 265 function, 227, 245 function, 227 function, 227, 244, 245 getCatalog ( ) method, 596 TE AM FL Y Team-Fly® 746 Index getCoreValidity ( ) method, 668 getDocument ( ) method, 647 getFeature ( ) method, 346 getKeyInfoResolver ( ) method, 646 getPort method, 467, 486 getProductCatalog ( ) method, 583–584, 597, 599, 612 function, 252 getReferenceValidity ( ) method, 667–668 function, 253 getRegistryService ( ) method, 514 function, 227, 245 getSignedInfoValidity ( ) method, 667–668 getStatus ( ) method, 513 function, 227, 245 getXMLReader ( ) method, 349 H HandlerBase class, 344, 346–347, 349 handlers, Axis, 150 hashing, 624, 629 Header attribute, 111 HTML tags, 314 HTTP (Hyper Text Transfer Proto- col), 17, 131–134, 137, 290 I IBM e-Business, 37 Key Generator utility, 642 MQSeries, 15 Network Accessible Services Speci- fication Language (NASSL), 202 products, 35 UDDI access point URLs, 228 Web Services Toolkit, 215, 254 WebSphere Application Server 4.5, 35 XML Security Suite, 656 data structure, 231, 236 init ( ) method, 458 element, 209, 210 integrity, 623, 629 interface class, 70 intermediaries, SOAP, 125–128 interoperability challenges, 290 importance of, 271 Java API for XML Messaging (JAXM), 450 Java API for XML RPC (JAX-RPC), 491 means of ensuring, 272–273 SOAP proxies, 273 testing, 274, 292 W3C XML Schema Definitions (XSD), defining, 273 of Web services, 26 Web Services Interoperability Organization, 291–292 WSDL and, 273 invoke ( ) method, 157 IOPSIS, 35 iPlanet products, 36, 701, 730, 731 isAssertionValid ( ) method, 704, 705 isAvailable ( ) method, 513 isNamespaceAware ( ) method, 356–357 ISO 3166 categorization system, 234, 248 issuing authority, SAML, 689–695 isValidating ( ) method, 357 isValid ( ) method, 395 Index 747 J J2EE architecture, 17–19 JABBER, 105 Java2WSDL utility, 153, 215–220 Java API for XML Messaging (JAXM) application architecture, 403–406 asynchronous messaging deployment, 445–448 ebXML consumer servlet, 443–445 ebXML producer servlet, 439–443 testing, 448–449 communication using provider, 414–419 communication without a provider, 420–424 deployment, 425–430 description, 58, 304–306, 722 interoperability, 450 in J2EE 1.4 platform, 450 java.xml.messaging, 407–408 java.xml.soap, 409–413 JAX-RPC compared, 454 message interaction patterns, 406 point-to-point messaging, 431, 434–438 role in Web services, 402–403 Java API for XML Processing (JAXP) API model, 339 classes and interfaces, list of, 340–341 description, 58, 298, 337–338 DOM description, 300, 353 document builder, 357–358 namespaces, 356–357 processing model, 354 sample source code, 360–364 tree, 359 validation, 357 implementations, 342 parser, 339 pluggable interface, 301–302, 338–339 reference implementation, 303 SAX default handler, creating, 346–348 description, 299, 342–343 features, setting, 346 namespaces, setting, 345–346 processing model, 343 reading and writing XML, 349 sample source code, 350–353 SAX parser, 344–349 validation, setting, 346 threading, 383 uses for, 338 version, 314, 338 XSLT description, 300–301, 373–377 sample code, 377–383 Java API for XML Registries (JAXR) architecture components, 494–496 association of registry objects, 508–509 capabilities, 497 capability profiles, 497–498 classes and interfaces, 499 classification of registry objects, 502–507 deleting information, 557–561 description, 58, 308, 494, 722 information model, 499, 503 programming model, 498 publishing compiling, 547–549 executing, 549–550 programming steps, 538 source code, 539–547 querying, 551–557 Registry Browser, 535–537 Registry Server, JWSDP, 533–535 registry services API connection management API, 510–516 748 Index Java API for XML Registries (JAXR) (continued) life cycle management API, 516–521 query management API, 522–533 Java API for XML Remote Procedure Calls (JAX-RPC) application architecture, 454–456 client classes, 466 description, 455 Dynamic Invocation Interface (DII), 469–471, 488–490 dynamic proxy-based, 467–469, 486–488 exception, 466 interfaces, 465 stub-based, 466–467, 484–486 description, 58, 306–308 example Web service, 307–308 interoperability, 491 in J2EE 1.4 platform, 491 JAXM compared, 454 mapping, 472–475 role in Web services, 452–453 service configuring, 459, 463, 478 definition, 457–458, 476–477 description, 454–455 developing from Java classes, 457–462 developing from WSDL docu- ment, 463–464 implementation, 458–459, 477 packaging and development, 460–462, 464, 480–482 testing, 482–483 stubs and ties, generation of, 460, 479–480, 483–484 Java Architecture for XML Binding (JAXB) data binding generation, 386–392 description, 58, 302–304, 383–385 marshalling XML, 392–394 sample code, 395–399 services provided, 303 unmarshalling Java, 394–395 Java Database Connectivity (JDBC), 59, 497 Java for WSDL (JWSDL), 202 Java Messaging Service (JMS), 15, 137, 305 Java RMI (Remote Method Invoca- tion), 10–13 Java Server Pages (JSP), 59 Java Server Pages Standard Tag Library (JSTL), 58, 309, 599–600 Java Web Services Developer Pack (JWSDP) Ant build tool, 311 Apache Tomcat container, 309 case study architecture, 567–568 discovery of Web services, 600–602 execution, 612–615 overview, 563–567 publishing and discovery classes, 572–574 service provider, designing, 568–572 service provider, developing, 582–593 service provider, runtime infra- structure, 602–609 service registry, browsing, 592–593 service registry infrastructure, 609–610 service requestor, designing, 575–582 service requestor, developing, 593–602 service requestor, runtime infra- structure, 610–612 components, 58 Index 749 description, 36, 311–312 document-oriented APIs, 297–298 downloading, 311 Java XML Pack, 297 JAXB, 302–304 JAXM, 304–306 JAXP, 298–303 JAXR, 308 JAX-RPC, 306–308 JSTL, 309 procedure-oriented APIs, 298 registry server, 59, 310 UDDI implementation, 254 Java Web Start, 723 java.xml.messaging, 407–408 Java XML Pack, 297 java.xml.soap, 409–413 JAXB. See Java Architecture for XML Binding JAXM. See Java API for XML Messaging JAXP. See Java API for XML Processing JAXR. See Java API for XML Registries JAX-RPC. See Java API for XML Remote Procedure Calls JDBC (Java Database Connectivity), 59, 497 Jini, 717 JMS (Java Messaging Service), 15, 137, 305 JSP (Java Server Pages), 59 JSTL (Java Server Pages Standard Tag Library), 58, 309, 599–600 JWSDL (Java for WSDL), 202 JWSDP. See Java Web Services Developer Pack K key in asymmetric algorithms, 626–628 definition, 623 key pair creation, 641–643 length, 623, 625 private, 626–628 public, 626–628 secret, 624, 626 in symmetric algorithms, 624–626 See also Cryptography element, 679 element, 676 element, 239, 248 Key Generator utility (IBM), 642 element, 638, 646, 652–654, 661, 665–666 KeyInfoResolver object, 646, 649 element, 673 key recovery service, X-KRSS, 681–685 key registration request, X-BULK, 682–683 key registration response, X-BULK, 684 key revocation request, X-KRSS, 681 keystore file, 664 Keytool utility (Sun), 641–643 element, 673 L Liberty Alliance, 723 Life Cycle Management API, 516–521 LifeCycleManager interface, 516, 517–519 element, 674 element, 675 locate service, XKMS, 672–675 M marshalling, 303, 392–394 maxOccurs attribute, 331–333 Message Driven Beans, 407, 635 element, 205, 208 750 Index MessageFactory object, 412, 415, 418, 421, 424 Message-Oriented Middleware (MOM), 14–15 messaging-based communication model, 51, 155, 157–158 Microsoft Corporation. See specific applications Microsoft Intermediate Language (MSIL), 274–275 Microsoft Messaging Queue, 15 minOccurs attribute, 331–333, 336 misUnderstood attribute, 115 mustUnderstand attribute, 111, 113, 115–116 N NAICS categorization system, 234, 248, 508 namespace, XML default, 322, 323 description, 322–323 DOM and, 356–357 setting, 345–346 XML Schema declaration, 329 XSL, 367 naming conventions, XML, 316–317 .NET (Microsoft) class library, 275–276 client development compiling client application, 278, 288 compiling SOAP proxy as a DLL, 277–278, 286–287 environment setup, 282 executing client from Windows environment, 278, 289 infrastructure, building, 279–281 proxy, generating, 277, 285 service provider, creating, 282–283 service provider, implementing, 283–284 service requestor, creating, 284–289 testing the client, 289 WSDL, obtaining, 277, 284 Common Language Runtime, 275 compilers, 275 description, 37, 274–275 Web site, 276 NetBeans, 728–729 Netegrity, 685, 688 newDocumentBuilder ( ) static method, 355 newInstance ( ) method, 344, 355, 374–375, 510 newSAXParser ( ) static method, 344 newTransformerFactory ( ) method, 374–375 non-repudiation, 623, 629 North American Industry Classifica- tion System (NAICS), 234, 248, 508 not ( ) function, 370 O element, 652, 655 Object Request Broker (ORB), 8, 9 one-way hash function algorithms, 624 OneWayListener interface, 407–408, 418 onMessage ( ) method, 407–408, 418, 424 onMethod ( ) method, 706 Oracle, 35–36 Organization for the Advancement of Structured Information Stan- dards (OASIS), 30, 32–34, 685, 707, 719 Organization instance, 500 element, 209, 210 Index 751 P parse ( ) method, 349 ParserConfiguationException message, 345, 348, 357, 359 Parser Configuration, JAXP, 340 parsing, 298 element, 205, 208–209, 213–214 password, 624 Phaos XML, 633 placeOrder ( ) method, 587, 598 PointBase database, 62, 65, 69, 78, 84, 166, 603 Point-to-Point message model, 15 Policy Decision Point (PDP), 698, 708 Policy Enforcement Point (PEP), 698, 707 Policy Information Point (PIP), 708 Policy Repository Point (PRP), 708 polymorphic accessor, 119 element, 205 element, 205, 208, 209, 210 Possession of Private (POP) key, 678, 679 PostalAddress instances, 502 processing instruction, XML, 318 prolog, XML, 317 element, 679 ProviderConnectionFactory object, 408, 414, 418 ProviderConnection object, 414, 417–418 proxy, 277, 285 Public Key Infrastructure, 32–33, 628, 668–670 data structure, 230, 251, 252, 253 Publish/Subscribe message model, 15 Q qname attribute, 115 element, 674 querying, using JAXR, 551–557 Query interface, 532 Query Management API BusinessQueryManager inter- face, 522–531 DeclarativeQueryManager interface, 531–533 R element, 652, 653 data structure, 253 element, 685 registration service, X-KRSS, 678–680 registry browser, 535–537 RegistryEntry interface, 499–500 RegistryObject class, 499–505 RegistryPackage class, 502 Registry Server, JWSDP, 310, 533–535 RegistryService interface, 496, 514 data structure, 238, 240 data structure, 238–239 remote interface, session bean, 85–86 remote procedure call (RPC) communication model, RPC-based, 50–51, 155–158 Web services, RPC-based, 174–180 See also Java API for XML Remote Procedure Calls replace ( ) method, 648 ReqRespListener interface, 408, 418, 423–424 element, 683 element, 674 element, 675 752 Index element, 653 revocation service, X-KRSS, 680–681 RMI-IIOP protocol, 12–13, 56 root, 317–318, 366 RSA (Rivest-Shamir-Adelman) algorithm, 628, 629, 641–643 element, 654 S SAML. See Security Assertions Markup Language function, 227, 252 function, 227, 233, 251, 257 SaveBusiness object, 257 saveChanges ( ) method, 417, 423 saveObjects ( ) method, 517–518 function, 227, 233, 251 function, 227, 233, 252 SAX. See Simple Access for XML SAXParser class, 340, 344, 348–349 SAXParserFactory class, 340, 344, 345 scalability, 6, 10, 14 Schneier, Bruce (Applied Cryptogra- phy), 622 SearchBusiness function, 260 searching, information in a UDDI registry, 260–264 Securant Technologies, 685, 688 Secure Socket Layer (SSL), 137, 628, 631, 632 security authorization, 143–144 challenges of, 620–621 cryptography, 621–628 description, 140 digital certificates, 630 digital signatures, 142–143, 629–630 encryption, 140–142 goal of, 620 JAXR, 514 XACML, 706–710 XKMS, 668–675 XML Encryption, 630–638 XML Signature, 651–657 See also Security Assertions Markup Language (SAML); specific protocols and technologies Security Assertions Markup Lan- guage (SAML) architecture, 689–691 attribute assertion, 693–694 authentication assertion, 691–693 authorization (decision) assertion, 694–696 back-office transaction scenario, 687 bindings and protocols, 696–697 description, 33–34, 685–687 documents, 688–689 implementation, 687–689 model of producers and consumers, 697–698 Single Sign-On, 686, 698–706 XACML and, 708 serialization, 124, 152, 455, 472 ServiceBinding instance, 500 Service class, 500 service container, 43, 52 Service Container layer, Sun ONE, 724, 725, 727 Service Delivery layer, Sun ONE, 724, 725, 727 service description, WSDL-based, 52, 55 data structure, 245, 251 element, 205, 210 servicegen utility, 62, 91 Service Integration layer, Sun ONE, 724, 725 Index 753 ServiceLifeCycle interface, 458 data structure, 240, 241, 242 service-oriented architecture (SOA), 22 service provider development application design, 63–64 class diagram, 64 client creation, 92–93 DAO classes, building, 70–78 database tables, creating, 65–70 development environment, setting up, 65 generating Web services, 91–94 implementing J2EE components, 70 sequence diagram, 64 session bean, building, 85–91 steps, 62–63 testing service provider, 95–98 XML Helper classes, building, 79–84 service requester, 27, 98–101 session bean, 70, 85–91 SetConcept ( ) method, 505 setCredentials ( ) method, 514 setData ( ) method, 648 setEncryptedType ( ) method, 648 setErrorListener ( ) method, 375 setFeature ( ) method, 346 setNamespaceAware ( ) method, 346 setProperties ( ) method, 511 function, 227, 253 setURIResolver ( ) method, 376 setValidating ( ) method, 346 SignatureContext object, 665 element, 652, 653, 655, 659, 665, 666 element, 652, 653, 661 SignatureTest class, 657–662, 666 element, 143, 652 element, 143, 652, 655, 661, 667 Simple Access for XML (SAX) default handler, creating, 346–348 description, 299, 342–343 features, setting, 346 namespaces, setting, 345–346 processing model, 343 reading and writing XML, 349 sample source code, 350–353 SAX parser, 344–349 validation, setting, 346 Simple Mail Transport Protocol (SMTP), 134–136 Simple Object Access Protocol (SOAP) binding, WSDL, 212–214 communication models, 128–130 components, 46 description, 28, 103–104 emergence of, 105–106 encoding, 109, 118–124 interoperability and, 272–274 JAXM messaging, 305–306 JAX-RPC and, 307–308 limitations, 199 message anatomy attachments, 109–110, 116–117 envelope, 109, 110–111 Fault element, 112–115 header, 111 mustUnderstand attribute, 115–116 request message, 107 response message, 108 message exchange model, 124–127 message exchange patterns, 138–140 754 Index Simple Object Access Protocol (continued) proxies, 273, 277 security, 140–144 SOAP over BEEP, 137–138 SOAP over HTTP, 131–134, 137 SOAP over HTTP/SSL, 137 SOAP over JMS, 137 SOAP over SMTP, 134–136 specifications, 106 versions, 47, 104 in Web services architecture, 45, 46–47 Web services development using Apache Axis Axis infrastructure, 149–154, 161–165 Axis programming model, 154–160 example, 160 implementation of messaging- based services, 180–198 implementation of RPC-based services, 174–180 installing Axis, 147–149 service provider environment, creating, 165–173 service requestor environment, creating, 173 XML-based protocols, 104 XML message discontinuities, 290 Single Sign-On (SSO), 686, 698–706 Slot class, 501 SMTP (Simple Mail Transport Proto- col), 134–136 SOA (service-oriented architecture), 22 SOAP. See Simple Object Access Protocol soapAction attribute, 150, 213, 290 element, 210, 214 SOAP Attachments API for Java, 306 element, 212–213 element, 213–214 SOAPBodyElement object, 417, 422 SOAPBody object, 290, 409–410, 416–417, 421–422 SOAPConnectionFactory class, 421 SOAPConnection object, 411–412, 418–423, 431 SOAPElement object, 412 SOAP Encoding, 46 SOAPEnvelope object, 46, 108, 110, 410, 412, 416, 421 SOAPFaultElement object, 410 SOAPFault object, 290, 410 SOAPHeaderElement object, 416, 422 SOAPHeader object, 111, 409–410, 416, 421–422 SOAPMessage object, 411, 415, 417–418, 421, 423 SOAP Messaging, 128, 130 element, 213 SOAPPart object, 409, 412, 416 SOAP RPC, 46, 128–130 SOAP Transport, 46 Solaris Operating Environment, 729 SpecificationLink class, 500 SSL (Secure Socket Layer), 137, 628, 631, 632 SSO (Single Sign-On), 686, 698–706 startDocument ( ) method, 347 startElement ( ) method, 348 Structure data type, 120–121 Sun Cluster software, 729–730 Crimson parser, 339, 342 Keytool utility, 641–643 products, 36 Sun ONE (Open Net Environment) architecture product stack, 727–731 service layers, 724–725 Index 755 Solaris Operating Environment, 729 standards and technologies, 725–727 Sun Cluster, 729–730 Sun ONE Application Server, 36, 731 Sun ONE Directory Server, 730 Sun ONE Identity Server, 687, 730–731 Sun ONE Integration Server, 731 Sun ONE Message Queue, 15, 731 Sun ONE Messaging Server, 730 Sun ONE Portal Server, 730 Sun ONE Studio, 215, 728–729 Sun ONE Web Server, 730 description, 36, 37 ebXML, 719–723 Platform for Network Identity, 701 Services on Demand, 715–718, 724–725 vision behind, 715–717 Web applications, 718 Web clients, 723 Web services, 718–723 symmetric algorithms, 624–626 synchronous connections, 513–514 Systinet products, 36 UDDI Registry, 224, 255–256 WASP, 36, 215–221, 254–255, 688 T tag, HTML, 314 tag, XML, 309, 314–319, 335 targetNamespace attribute tcpmon utility, 153–154, 179–180, 198 TemplateGenerator class, 663–664 templates, XSL, 368–369 TLS (Transport Layer Security), 631, 632 data structure, 231, 233–235, 237, 243, 244 data structure, 245, 252 data structure, 237 data structure, 243 Transformer, JAXP, 340 TransformerFactory class, 340, 342, 374 Transformer Factory Configuration Error, JAXP, 340 transparency, 9 Transport Layer Security (TLS), 631, 632 Triple-DES standard, 625 trust service provider, 675 Trust Services Integration Kit (Verisign), 633 trust services providers, 668–670, 678 two-tier architecture model, 6 tag, 152 element, 205, 208, 209 U UDDIApiInquiry object, 261 UDDIApiPublishing object, 257, 265 UDDI Business Registry (UBR), 223–224 unDeprecateObjects ( ) method, 519 Universal Description, Discovery, and Integration (UDDI) categorization, 233–236 data structures, 229–232 description, 29, 222–223 implementations, 254–255 inquiry API functions find_xx functions, 235–244 get_xx functions, 244–248 search qualifiers, 248–249 TE AM FL Y Team-Fly® 756 Index Universal Description, Discovery, and Integration (UDDI) (continued) limitations, 269 programming API, 226–229 publishing API functions, 249–253 publishing information to a UDDI registry, 257–260 registering as Systinet UDDI registry user, 255–256 registries business uses of, 225 categorization in, 233–235 deleting information from, 264–268 description, 49 interfaces, 224, 225 private and public, 223 searching information in, 260–264 specifications, 225–226 UBR (UDDI Business Registry), 223 in Web services implementation, 52 in Web services architecture, 46, 49 unmarshalling, 303, 394–395 URIResolver interface, 376 URLEndpoint object, 423, 598 User objects, 502 V ValidateException message, 395 validate ( ) method, 395 validate service, X-KISS, 676–677 validateSignature ( ) method, 662–663, 666 validation Document Type Definition, 325–328 DOM and, 357 importance of, 324 JAXB services for, 303 parser configuration for, 346 SAX support for, 343 XML Schema, 328–336 element, 676 Verisign, 630, 656, 668, 671, 675, 688 VersionMismatch attribute, 113 W WASP (Systinet), 36, 215–221, 254–255, 688 WDDX (Web Distributed Data Exchange), 105 WebLogic clientgen utility, 62, 92 database table creation, 65–69 deployment descriptor, 88–89 description, 34–35, 61–62, 215, 254 home page generation, 95–96 servicegen utility, 62, 91 Workshop, 61 Web service deployment descriptor (WSDD) file, 151–152, 158–159, 176 Web services architecture communication models, 50–51 core building blocks, 43–45 design requirements, 43 service-oriented architecture, 41 standards and technologies, 45–50 W3C working group on, 42 benefits, 38, 620 challenges in, 34 characteristics of, 25–26 definition, 22 description, 21–22 emergence of, 20 example scenario, 22–24 implementation steps, 52–53 life cycle, 203–204 motivation for, 24–25 operational model, 26–27 reasons for choosing over Web applications, 26 Index 757 standards, 28–34, 45–50 strategies, vendor supplied, 37 vendors of software and tools, 34–36 Web Services Choreography Inter- face (WSCI), 31 Web Services Description Language (WSDL) anatomy of definition document, 205, 208–210 Axis support, 152–153 bindings, 211–214 definition creation, 203 display on WebLogic home page, 97–98 example document, 47–48 future of, 221–222 independence of, 204 information contained in defini- tion, 202–203 instance specific namespace, 208 interoperability and, 273 JAX-RPC service development, 463–464 limitations of, 222 mapping, 474–475 obtaining the WSDL of a Web service, 277, 284 operation types, 209–212 service description, 52, 55 service requestor client creation, 158 tools, 214–221 versions, 49, 202, 221–222 weather information service sam- ple code, 205–207 in Web services architecture, 46, 47–49, 203–204 Web Services Interoperability Orga- nization (WS-I), 291–292 web-services.xml deployment descriptor, 91 White Mesa, 292 WSCI (Web Services Choreography Interface), 31 WSDD (Web service deployment descriptor) file, 151–152, 158–159, 176 WSDL. See Web Services Description Language WSDL.exe utility, 277 WSDLJava2 utility, 153, 158 X X.509 certificate, 653, 654, 664–665, 672 XACML. See XML Access Control Markup Language Xalan, 342, 648 X-BULK, 671, 682–684 X-KISS. See XML Key Information Service Specification XKMS. See XML Key Management Specification X-KRSS. See XML Key Registration Service Specification XLANG, 32 XML (Extensible Markup Language) basics, 314–316 benefits, 19 description, 28 history, 314 HTML compared, 314 namespaces, 322–323 parsing to DOM tree, 647, 648 syntax, 316–322 uses of, 315 validation of documents Document Type Definition (DTD), 325–328 importance of, 324 XML Schema, 328–336 XML Access Control Markup Language (XACML), 33, 706–710 758 Index XML Encryption decrypting an element, 643–644 definition, 32, 631 description, 630–631 EncryptDecrypt class, 637, 645, 648 encrypting an element, 641–643 EncryptionTest class, 637–641, 642, 643 example of use, 631–632, 633–638 implementation of, 633 key pair generation, 641–642, 643 programming steps for encryption and decryption, 644–650 SSL/TLS compared, 631, 632 XML Helper class, 70, 79–84, 187–191, 280–283 XML Key Information Service Speci- fication (X-KISS), 33, 670–677 XML Key Management Specification (XKMS) components, 670 description, 32–33, 668–670 implementations, 671 SOAP envelope, 671 usage diagram, 669 W3C Working Group, 670 X-KISS, 670, 671–677 X-KRSS, 670, 677–685 XML Key Registration Service Speci- fication (X-KRSS), 33, 670, 677–685 XML Metadata Interchange, 105 XMLReader class, 349 XML Schema attributes, 335–336 definitions, 330–335 description, 328 DTD compared, 328–329 elements, 330–335 interoperability issues, 290 multiple schema, 330 namespace declaration, 329 XML Security Library (Aleksey Sanin), 633 XML Security Suite (IBM), 633 XMLSerializer API (Xalan), 648 XML Signature canonicalization, 655–656 description, 33 GenerateValidatesSignature class, 657–658, 661–663, 666 implementations of, 656 programming steps for generating and validating, 662–668 SignatureTest class, 657–662, 666 syntax, 652–654 types of signatures, 651–652 Working Group, 631 XPath, 365, 639, 665 xrpcc tool, 456, 459–460, 463–464, 479, 483 XSL (Extensible Stylesheet Language) description, 364–366 namespaces, 367 root element, 366 syntax, 368–371 XML declaration, 366 XSLT (Extensible Stylesheet Language Transformation) description, 300–301, 372–373 factory and transformer class, 374–376 processing model, 373–374 sample code, 377–383 transforming XML, 376–377