Web Services Applications and Security: Part 1

Introduction

Business and technology are the two arms of any company that like to offer services to satisfy customer needs efficiently. It has been proven that technology helps the business execute in a manner that reaches the customers of global scope using the latest technologies, such as the Internet and other communication channels, such as mobile. For the past couple of years, the technology has helped design new business models. One such business model is e-commerce or e-business, which is nothing but business over the wire/Internet. This model is used for Business-to-Business (B2B) transactions and Business-to-Customer (B2C) transactions. Now, most organizations (private and public, ltd) prefer to establish their business through the Internet.

So, it is clear that technology revolutions are helping in key decisions of long-term corporate planning and giving ideas to think about innovative ways to do business in a highly efficient and effective manner that meets and satisfies the customers' needs.

One recent revolution in technology is the Service Oriented Approach (SOA) or Web Services Model, which changes the business over the Web or redesigns the e-commerce model. It is a loosely coupled architecture that fits into an existing system/infrastructure and is more flexible to enhance the application later.

The SOA or Web Services model is an approach that allows the publishing of business functionalities as services and registered with some broker. The customer or consumer of the service then can contact the broker to get the best services in terms of cost effectiveness and quality. The companies like to move their services as Web Services, but they are really looking for the key benefits that they are getting out of the Web Services model.

When you decide to start a business, you need to think not only about getting profit from the business, but also about things that can affect your business in the future. One important thing is the security implementation in your Web Service Application.

The objective of this article is to bring out the key benefits of the Web Services model and attempt to throw some light on various security scenarios for the implementation of the Web Service application to make your application more reliable and secure.

So, let us start our journey with the following route map now.

• What is a Web Services Model?
• When should you use a Web Services model?
• What are the key benefits of a Web Services model?
• How can we secure a Web Services application?

Web Services are a new breed of Web applications. They are self-contained, self-describing, and modular applications that can be published, located, and invoked across the Web. Web Services perform functions that can be anything from simple requests to complicated business processes. Once a Web Service is deployed, other applications (and other Web Services) can discover and invoke the deployed service.

The following Use Case scenario demonstrates how the Web Services model helps do business in innovative ways, the key benefits that we get from it, and gives you an overview of various scenarios to make an application efficient in terms of security.

Use Case: Online Bookstore Web Services Application

Before going into Use Case functionalities, let us look at the key things involved in this use case. The use case demonstrates how a Web Service application is different from a normal e-commerce application and the value added for the business when we move into a Web Service model.

The Online Bookstore Use Case involves functionalities such as providing interfaces to browse catalogs of books, get an order from the customer, accept online payment, and so forth.

What are the customer's key requirements?

The customer wants to buy a book and he/she would like to search for a book that matches his/her requirements in terms of cost, concepts, breadth of knowledge, and so on. The customer does not want to limit himself to few links. He does not care whether the broker has contacts with all the publishers or not. The customer's main aim is to get the best book that matches his interest.

Approach 1—Normal E-Commerce/General Web Site Approach

We have used many Web sites that are doing business over the Internet/Web. You might be aware of how they operate and execute their service. This article does not focus on how they built the application. This article aims to bring out how the Web Service model is more beneficial than a simple e-commerce approach.

Suppose you implement a Bookstore application just like a normal Web site that provides a set of links to each category by Subject/Author/Publisher. Then let us see what is happening.

The customer is able to get information only about a set of URLs/links/pages provided by the Web site. This is very limited information because any Web site can provide only a set of links/pages under each category.

Customer side:

• He should be restricted to get limited information.
• If he is not satisfied with the information at the Web site, he needs to go to another Web site for more information.
• He has to spend a lot of time in terms of browsing all these sites and there is no guarantee that he will get the information he wants.
• He is not able to get a wide amount of information about his choice.

Provider side:

• The provider needs to provide more information about each category of books.
• It is a very difficult task to maintain a whole set of information about different publishers, subjects, concepts, and so forth.
• If the provider is very much interested in offering all the information, he should spend a lot of money to get information and present the information in terms of Web pages.

Approach 2—Recommended Approach

Web Services Architecture

The important entities in this architecture are the Service Provider and Service Requestor. Service providers (producers) maintain information about their services in a registry. Service requesters (consumers) search registries for services. Once found, a service can be invoked. A Service Broker (Registry Provider) is a repository of all services that are registered with the Registry. Assume that in our use case, book publishers (Wrox, O'Reilly, and so on) act as Service Providers and customers play the role of service consumers.

The bookstore application acts as a Service Broker to provide an interface between the customer and service providers.

Online Bookstore Application Use Case Diagram

Following are some services that are offered at the Bookstore Application:

• BrowseCatalog Service
• Order Service
• Payment Service

Let us look at each service and how it fit into the Web Services architecture.

BrowseCatalog Service

This service offers a wide variety of information to the customer, such as all books from a particular publisher/subject, and so forth. How can we get information from a wide network? Is there any mechanism, such as browsing all Web sites to get information?

1. The answer is that service providers (Book Publishers) register their service in a business registry and provide information about their services. For example, a service provider offers a BrowseCatalog service that allows a person to see all the books that the provider published. The provider should register this service with the business registry with details about what books are published in each category and the URL to access the service.
2. The Bookstore Application searches the business registry with a query that was passed by the customer with his choice of interest.
3. The BrowseCatalog Service starts finding the books that matched the customer's search string.
4. The registry sends and receives information to the BrowseCatalog service that meets the search criteria. The BrowseCatalog service sends the customers a list of the books that are available from different publishers.
5. If there are no books available, the Bookstore Application asks the customer whether he is interested in another book. If customer is ready to go for another request, it continues its job until the customer likes the result.

Order Service

Once the user gets a set of results that matches his interest, he spends time choosing the best option out of a set in terms of price, concepts, quality, and so forth. Now he is ready to place an order for the book. The Order Service is the service provided by service providers (Book Publisher) to place an order. Let us see what steps are involved in placing an order.

1. It asks the customer about personal details such as name, contact information, shipment address, and the date that he prefers for the book's delivery.
2. It also keeps data about the date of birth and his areas of interest for further reference or correspondence.
3. It asks the customer the mode of payment that he desires, such as a credit card or cheque (if it is allowed).
4. After the customer has placed the order in Bookstore Application, it automatically navigates into the Payment Service.

Payment Service

The Payment Service is actually the core piece of the Bookstore Application. It deals with the more critical data, such as credit card information. We will see in the next section how can we secure the data and our Web Services application. Before that, let us examine how the payment service works.

1. The Bookstore Application deals with the Payment Service for payment authorization. The Payment Service does lot of validation on the information provided by customer, whether he is reliable or not.
2. The information provided in Payment Service may travel through different networks, so there is a chance to lose valuable credit card or other information.
3. There is need to impose high security measures to make the application reliable, such as encrypting the credit card information, authenticating the user, authorizing permission to access services, and so forth.
4. The Bookstore application authenticates the user when he logs in to the system. It also allots permission to access the various services based on their category of registration (payment/general).
5. It encrypts the credit card information before it sends it across the application.
6. There are many ways to make an application secure. So, the next part of this article talks about various security scenarios that help to make a Web Service application secure.

The Key Benefits of a Web Services Approach

• When we compare the two approaches, it is hard to extend beyond the original scope; in other words, the customer might need information (more URLs or book information) from the Bookstore Application.
• In Approach 1, there is no common registry. But the Web Services approach (Approach 2) provides a widely accepted common registry (cross vendors, platforms, and the industry).
• The Web Services Approach provides a consistent architecture, whether the application has to be used inside or outside of the enterprise and regardless of which development environment is used.
• The base of the Web Services Architecture is SOA, which is a new architectural approach that is more flexible to enhance the application.
• A lot of money can be saved by getting the information and presenting the content. This is a very simple phenomenon; everybody publishes their work and you may use their service if it matches your needs.
• We can close the services that are not profitable without affecting the other services.

Let us stop getting the list. These are only a few benefits from the Web Service model. It may provide a lot more, depending on how effectively you designed and implemented the application.

If you have keenly observed the application, you can guess that some of the services deal with money transactions, especially the PaymentService component. It takes credit card information and invokes another Web Service such as verification of the credit card holder's details. There are chances to make the data that has been transferring over the Internet confidential. So, security plays an important role in making the Web Services Application more reliable and usable.

The next part of this article gives you a picture of how you can make a simple Web Services application secure.

About the Author

Sridhar Ravuthula is a senior software engineer with Hewlett-Packard, India. He has a master's degree in computer applications. Sridhar has been involved in designing and developing J2EE-based solutions on various platforms. He has worked in flagship product development, e-speak, and HP Bluestone (HPAS).

He has good knowledge and hands-on experience in Web Services technologies .You can reach him at sridhar_ravuthula@hp.com or sridharravatula@yahoo.co.uk.